From 7f0f399c38bc01c37e6c9b4b6b2c826dc0d94bd1 Mon Sep 17 00:00:00 2001 From: yairra Date: Thu, 13 Jun 2024 10:58:26 +0300 Subject: [PATCH] Azure Templates Improvements | Terraform --- .../high-availability-existing-vnet/README.md | 147 +++++++------ .../high-availability-existing-vnet/main.tf | 50 +++-- .../terraform.tfvars | 6 +- .../variables.tf | 20 +- .../versions.tf | 4 +- .../high-availability-new-vnet/README.md | 151 +++++++------ .../azure/high-availability-new-vnet/main.tf | 50 +++-- .../terraform.tfvars | 7 +- .../high-availability-new-vnet/variables.tf | 24 ++- .../high-availability-new-vnet/versions.tf | 4 +- .../azure/management-existing-vnet/README.md | 126 ++++++----- .../azure/management-existing-vnet/main.tf | 15 +- .../management-existing-vnet/terraform.tfvars | 3 + .../management-existing-vnet/variables.tf | 28 ++- .../management-existing-vnet/versions.tf | 4 +- terraform/azure/management-new-vnet/README.md | 123 ++++++----- terraform/azure/management-new-vnet/main.tf | 18 +- .../management-new-vnet/terraform.tfvars | 7 +- .../azure/management-new-vnet/variables.tf | 28 ++- .../azure/management-new-vnet/versions.tf | 6 +- terraform/azure/mds-existing-vnet/README.md | 135 ++++++------ terraform/azure/mds-existing-vnet/main.tf | 15 +- .../azure/mds-existing-vnet/terraform.tfvars | 5 +- .../azure/mds-existing-vnet/variables.tf | 27 ++- terraform/azure/mds-existing-vnet/versions.tf | 4 +- terraform/azure/mds-new-vnet/README.md | 121 ++++++----- terraform/azure/mds-new-vnet/main.tf | 19 +- terraform/azure/mds-new-vnet/terraform.tfvars | 5 +- terraform/azure/mds-new-vnet/variables.tf | 27 ++- terraform/azure/mds-new-vnet/versions.tf | 4 +- terraform/azure/modules/add-routing-intent.py | 29 --- terraform/azure/modules/common/outputs.tf | 3 + terraform/azure/modules/common/variables.tf | 64 +++++- terraform/azure/modules/vnet/main.tf | 2 +- terraform/azure/modules/vnet/variables.tf | 6 +- .../azure/nva-into-existing-hub/README.md | 118 +++++------ .../azure/nva-into-existing-hub/variables.tf | 1 + terraform/azure/nva-into-new-vwan/README.md | 131 ++++++------ .../azure/nva-into-new-vwan/variables.tf | 9 +- .../single-gateway-existing-vnet/README.md | 137 ++++++------ .../single-gateway-existing-vnet/main.tf | 25 ++- .../terraform.tfvars | 5 +- .../single-gateway-existing-vnet/variables.tf | 27 ++- .../single-gateway-existing-vnet/versions.tf | 4 +- .../azure/single-gateway-new-vnet/README.md | 130 ++++++------ .../azure/single-gateway-new-vnet/main.tf | 29 ++- .../single-gateway-new-vnet/terraform.tfvars | 5 +- .../single-gateway-new-vnet/variables.tf | 35 ++- .../azure/single-gateway-new-vnet/versions.tf | 4 +- terraform/azure/vmss-existing-vnet/README.md | 180 ++++++++-------- terraform/azure/vmss-existing-vnet/main.tf | 200 +++++++++--------- .../azure/vmss-existing-vnet/terraform.tfvars | 80 +++---- .../azure/vmss-existing-vnet/variables.tf | 31 ++- .../azure/vmss-existing-vnet/versions.tf | 14 ++ terraform/azure/vmss-new-vnet/README.md | 179 ++++++++-------- terraform/azure/vmss-new-vnet/main.tf | 198 ++++++++--------- .../azure/vmss-new-vnet/terraform.tfvars | 79 +++---- terraform/azure/vmss-new-vnet/variables.tf | 35 ++- terraform/azure/vmss-new-vnet/versions.tf | 14 ++ 59 files changed, 1738 insertions(+), 1219 deletions(-) delete mode 100755 terraform/azure/modules/add-routing-intent.py create mode 100755 terraform/azure/vmss-existing-vnet/versions.tf create mode 100755 terraform/azure/vmss-new-vnet/versions.tf diff --git a/terraform/azure/high-availability-existing-vnet/README.md b/terraform/azure/high-availability-existing-vnet/README.md index 5aa56ce8..6c0b5d4c 100755 --- a/terraform/azure/high-availability-existing-vnet/README.md +++ b/terraform/azure/high-availability-existing-vnet/README.md @@ -71,77 +71,82 @@ This solution uses the following modules: terraform apply ### terraform.tfvars variables: - | Name | Description | Type | Allowed values | - | ------------- | ------------- |------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | - | **client_secret** | passwordThe client secret of the Service Principal used to deploy the solution | string | - | | | | | | - | **client_id** | The client ID of the Service Principal used to deploy the solution | string | - | | | | | | - | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | - | | | | | | - | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | - | | | | | | - | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images. | string | - | | | | | | - | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | - | | | | | | - | **location** | The region where the resources will be deployed at. | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | - | | | | | | - | **cluster_name** | The name of the Check Point Cluster Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long | - | | | | | | - | **vnet_name** | Virtual Network name | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | - | | | | | | - | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | - | | | | | | - | **frontend_subnet_name** | Specifies the name of the external subnet | string | The exact name of the existing external subnet | - | | | | | | - | **backend_subnet_name** | Specifies the name of the internal subnet | string | The exact name of the existing internal subnet | - | | | | | | - | **frontend_IP_addresses** | A list of three whole numbers representing the private ip addresses of the members eth0 NICs and the cluster vip ip addresses. The numbers can be represented as binary integers with no more than the number of digits remaining in the address after the given frontend subnet prefix. The IP addresses are defined by their position in the frontend subnet. | list(number) | - | | | | | | - | **backend_IP_addresses** | A list of three whole numbers representing the private ip addresses of the members eth1 NICs and the backend lb ip addresses. The numbers can be represented as binary integers with no more than the number of digits remaining in the address after the given backend subnet prefix. The IP addresses are defined by their position in the backend subnet. | list(number) | - | | | | | | - | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | - | | | | | | - | **smart_1_cloud_token_a** | Smart-1 Cloud token to connect automatically ***Member A*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | | - | | | | | | - | **smart_1_cloud_token_b** | Smart-1 Cloud token to connect automatically ***Member B*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501)| string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | | - | | | | | | - | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | - | | | | | | - | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | - | | | | | | - | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | - | | | | | | - | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license for R80.40 and above;
"sg-ngtp" - NGTP PAYG license for R80.40 and above;
"sg-ngtx" - NGTX PAYG license for R80.40 and above; | - | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r81.10";
"check-point-cg-r81.20"; | - | | | | | | - | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | - | | | | | | - | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | - | | | | | | - | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | - | | | | | | - | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | - | | | | | | - | **availability_type** | Specifies whether to deploy the solution based on Azure Availability Set or based on Azure Availability Zone. | string | "Availability Zone";
"Availability Set"; | - | | | | | | - | **enable_custom_metrics** | Indicates whether CloudGuard Metrics will be use for Cluster members monitoring. | boolean | true;
false; | - | | | | | | - | **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP. | boolean | true;
false; | - | | | | | | - | **use_public_ip_prefix** | Indicates whether the public IP resources will be deployed with public IP prefix. | boolean | true;
false; | - | | | | | | - | **create_public_ip_prefix** | Indicates whether the public IP prefix will created or an existing will be used. | boolean | true;
false; | - | | | | | | - | **existing_public_ip_prefix_id** | The existing public IP prefix resource id. | string | Existing public IP prefix resource id | - | | | | | | - | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | + | Name | Description | Type | Allowed values | Default | + | ------------- | ------------- |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------| ------------- | + | **client_secret** | The client secret of the Service Principal used to deploy the solution | string | | n/a | + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a | + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a | + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a | + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" | + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | n/a | + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a | + | | | | | | + | **cluster_name** | The name of the Check Point Cluster Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long | n/a | + | | | | | | + | **vnet_name** | Virtual Network name | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a | + | | | | | | + | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | n/a | + | | | | | | + | **frontend_subnet_name** | Specifies the name of the external subnet | string | The exact name of the existing external subnet | n/a | + | | | | | | + | **backend_subnet_name** | Specifies the name of the internal subnet | string | The exact name of the existing internal subnet | n/a | + | | | | | | + | **frontend_IP_addresses** | A list of three whole numbers representing the private ip addresses of the members eth0 NICs and the cluster vip ip addresses. The numbers can be represented as binary integers with no more than the number of digits remaining in the address after the given frontend subnet prefix. The IP addresses are defined by their position in the frontend subnet | list(number) | | n/a + | | | | | | + | **backend_IP_addresses** | A list of three whole numbers representing the private ip addresses of the members eth1 NICs and the backend lb ip addresses. The numbers can be represented as binary integers with no more than the number of digits remaining in the address after the given backend subnet prefix. The IP addresses are defined by their position in the backend subnet | list(number) | | n/a + | | | | | | + | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a | + | | | | | | + | **smart_1_cloud_token_a** | Smart-1 Cloud token to connect automatically ***Member A*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | | | | | | + | **smart_1_cloud_token_b** | Smart-1 Cloud token to connect automatically ***Member B*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501)| string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | | | | | | + | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a | + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | n/a | + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license; | n/a | + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r81.10";
"check-point-cg-r81.20"; | n/a | + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a | + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | n/a | + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a | + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a | + | | | | | | + | **availability_type** | Specifies whether to deploy the solution based on Azure Availability Set or based on Azure Availability Zone | string | "Availability Zone";
"Availability Set"; | "Availability Zone" | + | | | | | | + | **enable_custom_metrics** | Indicates whether CloudGuard Metrics will be use for Cluster members monitoring | boolean | true;
false; | true | + | | | | | | + | **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP | boolean | true;
false; | false | + | | | | | | + | **use_public_ip_prefix** | Indicates whether the public IP resources will be deployed with public IP prefix | boolean | true;
false; | false | + | | | | | | + | **create_public_ip_prefix** | Indicates whether the public IP prefix will created or an existing will be used | boolean | true;
false; | false | + | | | | | | + | **existing_public_ip_prefix_id** | The existing public IP prefix resource id | string | Existing public IP prefix resource id | n/a | + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | n/a | + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a | | | | | | - | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here. | string | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false | | | | | | - | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] + ## Conditional creation - To deploy the solution based on Azure Availability Set and create a new Availability Set for the virtual machines: ``` @@ -203,12 +208,16 @@ availability_type = "Availability Zone" admin_shell = "/etc/cli.sh" serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] ## Revision History In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) | Template Version | Description | | ---------------- | ------------- | +| 20230910 | - R81.20 is the default version | +| | | | | 20230212 | - Added Smart-1 Cloud support | | | | | | 20221124 | - Added R81.20 support
- Upgraded azurerm provider | diff --git a/terraform/azure/high-availability-existing-vnet/main.tf b/terraform/azure/high-availability-existing-vnet/main.tf index d145e84f..cd020475 100755 --- a/terraform/azure/high-availability-existing-vnet/main.tf +++ b/terraform/azure/high-availability-existing-vnet/main.tf @@ -28,7 +28,8 @@ module "common" { vm_os_offer = var.vm_os_offer authentication_type = var.authentication_type serial_console_password_hash = var.serial_console_password_hash - maintenance_mode_password_hash = var.maintenance_mode_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + storage_account_additional_ips = var.storage_account_additional_ips } //********************** Networking **************************// @@ -95,7 +96,7 @@ resource "azurerm_network_interface" "nic_vip" { primary = true subnet_id = data.azurerm_subnet.frontend.id private_ip_address_allocation = var.vnet_allocation_method - private_ip_address = cidrhost(data.azurerm_subnet.frontend.address_prefix, var.frontend_IP_addresses[0]) + private_ip_address = cidrhost(data.azurerm_subnet.frontend.address_prefixes[0], var.frontend_IP_addresses[0]) public_ip_address_id = azurerm_public_ip.public-ip.0.id } ip_configuration { @@ -103,7 +104,7 @@ resource "azurerm_network_interface" "nic_vip" { subnet_id = data.azurerm_subnet.frontend.id primary = false private_ip_address_allocation = var.vnet_allocation_method - private_ip_address = cidrhost(data.azurerm_subnet.frontend.address_prefix, var.frontend_IP_addresses[2]) + private_ip_address = cidrhost(data.azurerm_subnet.frontend.address_prefixes[0], var.frontend_IP_addresses[2]) public_ip_address_id = azurerm_public_ip.cluster-vip.id } lifecycle { @@ -137,7 +138,7 @@ resource "azurerm_network_interface" "nic" { primary = true subnet_id = data.azurerm_subnet.frontend.id private_ip_address_allocation = var.vnet_allocation_method - private_ip_address = cidrhost(data.azurerm_subnet.frontend.address_prefix, var.frontend_IP_addresses[1]) + private_ip_address = cidrhost(data.azurerm_subnet.frontend.address_prefixes[0], var.frontend_IP_addresses[1]) public_ip_address_id = azurerm_public_ip.public-ip.1.id } lifecycle { @@ -170,7 +171,7 @@ resource "azurerm_network_interface" "nic1" { name = "ipconfig2" subnet_id = data.azurerm_subnet.backend.id private_ip_address_allocation = var.vnet_allocation_method - private_ip_address = cidrhost(data.azurerm_subnet.backend.address_prefix, var.backend_IP_addresses[count.index+1]) + private_ip_address = cidrhost(data.azurerm_subnet.backend.address_prefixes[0], var.backend_IP_addresses[count.index+1]) } } @@ -208,7 +209,6 @@ resource "azurerm_lb" "frontend-lb" { } resource "azurerm_lb_backend_address_pool" "frontend-lb-pool" { - resource_group_name = module.common.resource_group_name loadbalancer_id = azurerm_lb.frontend-lb.id name = "frontend-lb-pool" } @@ -222,19 +222,17 @@ resource "azurerm_lb" "backend-lb" { name = "backend-lb" subnet_id = data.azurerm_subnet.backend.id private_ip_address_allocation = var.vnet_allocation_method - private_ip_address = cidrhost(data.azurerm_subnet.backend.address_prefix, var.backend_IP_addresses[0]) + private_ip_address = cidrhost(data.azurerm_subnet.backend.address_prefixes[0], var.backend_IP_addresses[0]) } } resource "azurerm_lb_backend_address_pool" "backend-lb-pool" { name = "backend-lb-pool" loadbalancer_id = azurerm_lb.backend-lb.id - resource_group_name = module.common.resource_group_name } resource "azurerm_lb_probe" "azure_lb_healprob" { count = 2 - resource_group_name = module.common.resource_group_name loadbalancer_id = count.index == 0 ? azurerm_lb.frontend-lb.id : azurerm_lb.backend-lb.id name = var.lb_probe_name protocol = var.lb_probe_protocol @@ -244,7 +242,6 @@ resource "azurerm_lb_probe" "azure_lb_healprob" { } resource "azurerm_lb_rule" "backend_lb_rules" { - resource_group_name = module.common.resource_group_name loadbalancer_id = azurerm_lb.backend-lb.id name = "backend-lb" protocol = "All" @@ -252,7 +249,7 @@ resource "azurerm_lb_rule" "backend_lb_rules" { backend_port = 0 frontend_ip_configuration_name = "backend-lb" load_distribution = "Default" - backend_address_pool_id = azurerm_lb_backend_address_pool.backend-lb-pool.id + backend_address_pool_ids = [azurerm_lb_backend_address_pool.backend-lb-pool.id] probe_id = azurerm_lb_probe.azure_lb_healprob[1].id enable_floating_ip = var.enable_floating_ip } @@ -287,6 +284,15 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { location = module.common.resource_group_location account_tier = module.common.storage_account_tier account_replication_type = module.common.account_replication_type + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = module.common.storage_account_ip_rules + } + blob_properties { + delete_retention_policy { + days = "15" + } + } } //********************** Virtual Machines **************************// @@ -493,12 +499,26 @@ resource "azurerm_virtual_machine" "vm-instance-availability-zone" { } } //********************** Role Assigments **************************// -data "azurerm_role_definition" "role_definition" { - name = module.common.role_definition +data "azurerm_role_definition" "virtual_machine_contributor_role_definition" { + name = "Virtual Machine Contributor" +} +data "azurerm_role_definition" "reader_role_definition" { + name = "Reader" } data "azurerm_client_config" "client_config" { } -resource "azurerm_role_assignment" "cluster_assigment" { +resource "azurerm_role_assignment" "cluster_virtual_machine_contributor_assignment" { + count = 2 + lifecycle { + ignore_changes = [ + role_definition_id, principal_id + ] + } + scope = module.common.resource_group_id + role_definition_id = data.azurerm_role_definition.virtual_machine_contributor_role_definition.id + principal_id = local.availability_set_condition ? lookup(azurerm_virtual_machine.vm-instance-availability-set[count.index].identity[0], "principal_id") : lookup(azurerm_virtual_machine.vm-instance-availability-zone[count.index].identity[0], "principal_id") +} +resource "azurerm_role_assignment" "cluster_reader_assigment" { count = 2 lifecycle { ignore_changes = [ @@ -506,6 +526,6 @@ resource "azurerm_role_assignment" "cluster_assigment" { ] } scope = module.common.resource_group_id - role_definition_id = data.azurerm_role_definition.role_definition.id + role_definition_id = data.azurerm_role_definition.reader_role_definition.id principal_id = local.availability_set_condition ? lookup(azurerm_virtual_machine.vm-instance-availability-set[count.index].identity[0], "principal_id") : lookup(azurerm_virtual_machine.vm-instance-availability-zone[count.index].identity[0], "principal_id") } \ No newline at end of file diff --git a/terraform/azure/high-availability-existing-vnet/terraform.tfvars b/terraform/azure/high-availability-existing-vnet/terraform.tfvars index 541113c2..e235eaa9 100755 --- a/terraform/azure/high-availability-existing-vnet/terraform.tfvars +++ b/terraform/azure/high-availability-existing-vnet/terraform.tfvars @@ -31,6 +31,8 @@ enable_floating_ip = "PLEASE ENTER true or false" use_public_ip_prefix = "PLEASE ENTER true or false" # false create_public_ip_prefix = "PLEASE ENTER true or false" # false existing_public_ip_prefix_id = "PLEASE ENTER IP PREFIX RESOURCE ID" # "" -admin_shell = "PLEASE ETNER ADMIN SHELL" # "/etc/cli.sh +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" -maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ No newline at end of file +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +add_storage_account_ip_rules = "PLEASE ENTER true or false" # false +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] \ No newline at end of file diff --git a/terraform/azure/high-availability-existing-vnet/variables.tf b/terraform/azure/high-availability-existing-vnet/variables.tf index e71ffe87..c11fa238 100755 --- a/terraform/azure/high-availability-existing-vnet/variables.tf +++ b/terraform/azure/high-availability-existing-vnet/variables.tf @@ -83,7 +83,7 @@ variable "template_name" { variable "template_version" { description = "Template version. It is recommended to always use the latest template version" type = string - default = "20210111" + default = "20230910" } variable "installation_type" { @@ -104,7 +104,7 @@ variable "vm_size" { } variable "disk_size" { - description = "Storage data disk size size(GB).Select a number between 100 and 3995" + description = "Storage data disk size size(GB). Select a number between 100 and 3995" type = string } @@ -171,6 +171,7 @@ variable "is_blink" { variable "admin_shell" { description = "The admin shell to configure on machine or the first time" type = string + default = "/etc/cli.sh" } locals { @@ -233,7 +234,7 @@ variable "lb_probe_port" { variable "lb_probe_protocol" { description = "Protocols to be used for load balancer health probes and rules" - default = "tcp" + default = "Tcp" } variable "lb_probe_unhealthy_threshold" { @@ -252,6 +253,17 @@ variable "bootstrap_script" { #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" } +variable "add_storage_account_ip_rules" { + type = bool + default = false + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] +} //********************** Credentials **************************// variable "tenant_id" { description = "Tenant ID" @@ -324,4 +336,4 @@ locals{ is_both_tokens_the_same = local.acutal_token_a == local.acutal_token_b validation_message_unique = "Same Smart-1 Cloud token used for both memeber, you must provide unique token for each member" __ = local.is_tokens_used ? regex("^$", (local.is_both_tokens_the_same ? local.validation_message_unique : "")) : "" -} +} \ No newline at end of file diff --git a/terraform/azure/high-availability-existing-vnet/versions.tf b/terraform/azure/high-availability-existing-vnet/versions.tf index 0a005a98..0d5ca4f3 100755 --- a/terraform/azure/high-availability-existing-vnet/versions.tf +++ b/terraform/azure/high-availability-existing-vnet/versions.tf @@ -3,10 +3,10 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 2.92.0" + version = "~> 3.81.0" } random = { - version = "~> 2.2.1" + version = "~> 3.5.1" } } } \ No newline at end of file diff --git a/terraform/azure/high-availability-new-vnet/README.md b/terraform/azure/high-availability-new-vnet/README.md index 9065754c..8cf1fdea 100755 --- a/terraform/azure/high-availability-new-vnet/README.md +++ b/terraform/azure/high-availability-new-vnet/README.md @@ -75,71 +75,79 @@ This solution uses the following modules: terraform apply ### terraform.tfvars variables: - | Name | Description | Type | Allowed values | - | ------------- | ------------- |------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | - | **client_secret** | passwordThe client secret of the Service Principal used to deploy the solution | string | - | | | | | | - | **client_id** | The client ID of the Service Principal used to deploy the solution | string | - | | | | | | - | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | - | | | | | | - | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | - | | | | | | - | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images. | string | - | | | | | | - | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | - | | | | | | - | **location** | The region where the resources will be deployed at. | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | - | | | | | | - | **cluster_name** | The name of the Check Point Cluster Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long | - | | | | | | - | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | - | | | | | | - | **address_space** | The address prefixes of the virtual network | string | Valid CIDR block | - | | | | | | - | **subnet_prefixes** | The address prefixes to be used for created subnets | string | The subnets need to contain within the address space for this virtual network(defined by address_space variable) | - | | | | | | - | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | - | | | | | | - | **smart_1_cloud_token_a** | Smart-1 Cloud token to connect automatically ***Member A*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | | - | | | | | | - | **smart_1_cloud_token_b** | Smart-1 Cloud token to connect automatically ***Member B*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | | - | | | | | | - | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | - | | | | | | - | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | - | | | | | | - | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | - | | | | | | - | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license for R80.40 and above;
"sg-ngtp" - NGTP PAYG license for R80.40 and above;
"sg-ngtx" - NGTX PAYG license for R80.40 and above | - | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | - | | | | | | - | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | - | | | | | | - | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | - | | | | | | - | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | - | | | | | | - | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | - | | | | | | - | **availability_type** | Specifies whether to deploy the solution based on Azure Availability Set or based on Azure Availability Zone. | string | "Availability Zone";
"Availability Set"; | - | | | | | | - | **enable_custom_metrics** | Indicates whether CloudGuard Metrics will be use for Cluster members monitoring. | boolean | true;
false; | - | | | | | | - | **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP. | boolean | true;
false; | - | | | | | | - | **use_public_ip_prefix** | Indicates whether the public IP resources will be deployed with public IP prefix. | boolean | true;
false; | - | | | | | | - | **create_public_ip_prefix** | Indicates whether the public IP prefix will created or an existing will be used. | boolean | true;
false; | - | | | | | | - | **existing_public_ip_prefix_id** | The existing public IP prefix resource id. | string | Existing public IP prefix resource id | - | | | | | | - | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | - | | | | | | - | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here. | string | - | | | | | | - | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | + | Name | Description | Type | Allowed values | Default | + | ------------- | ------------- |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------| ------------- | + | **client_secret** | The client secret of the Service Principal used to deploy the solution | string | | n/a | + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | n/a | + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a | + | | | | | | + | **cluster_name** | The name of the Check Point Cluster Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long | n/a | + | | | | | | + | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a | + | | | | | | + | **address_space** | The address prefixes of the virtual network | string | Valid CIDR block | "10.0.0.0/16" | + | | | | | | + | **subnet_prefixes** | The address prefixes to be used for created subnets | string | The subnets need to contain within the address space for this virtual network(defined by address_space variable) | ["10.0.0.0/24", "10.0.1.0/24"] | + | | | | | | + | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a | + | | | | | | + | **smart_1_cloud_token_a** | Smart-1 Cloud token to connect automatically ***Member A*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | | | | | | + | **smart_1_cloud_token_b** | Smart-1 Cloud token to connect automatically ***Member B*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | | | | | | + | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a | + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | n/a | + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license;| n/a | + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a | + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a | + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | n/a | + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a | + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a | + | | | | | | + | **availability_type** | Specifies whether to deploy the solution based on Azure Availability Set or based on Azure Availability Zone | string | "Availability Zone";
"Availability Set"; | "Availability Zone" | + | | | | | | + | **enable_custom_metrics** | Indicates whether CloudGuard Metrics will be use for Cluster members monitoring | boolean | true;
false; | true | + | | | | | | + | **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP | boolean | true;
false; | false | + | | | | | | + | **use_public_ip_prefix** | Indicates whether the public IP resources will be deployed with public IP prefix | boolean | true;
false; | false| + | | | | | | + | **create_public_ip_prefix** | Indicates whether the public IP prefix will created or an existing will be used | boolean | true;
false; | false | + | | | | | | + | **existing_public_ip_prefix_id** | The existing public IP prefix resource id | string | Existing public IP prefix resource id | ""| + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" | + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID | "" | + | | | | | | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false + | | | | | | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] + + ## Conditional creation - To deploy the solution based on Azure Availability Set and create a new Availability Set for the virtual machines: ``` @@ -197,18 +205,23 @@ availability_type = "Availability Zone" existing_public_ip_prefix_id = "" admin_shell = "/etc/cli.sh" serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + nsg_id = "" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] + ## Revision History In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) | Template Version | Description | | ---------------- | ------------- | +| 20230910 | - R81.20 is the default version | +| | | | | 20230212 | - Added Smart-1 Cloud support | | | | | | 20221124 | - Added R81.20 support
- Upgraded azurerm provider | | | | | -| 20220111 | - Added support to select different shells. | +| 20220111 | - Added support to select different shells | | | | | | 20210309 | - Add "source_image_vhd_uri" variable for using a custom development image | | | | | @@ -218,7 +231,7 @@ In order to check the template version refer to the [sk116585](https://supportce | | | | | 20200305 | First release of Check Point CloudGuard IaaS High Availability Terraform deployment for Azure | | | | | -| | Addition of "templateType" parameter to "cloud-version" files. | +| | Addition of "templateType" parameter to "cloud-version" files | | | | | ## License diff --git a/terraform/azure/high-availability-new-vnet/main.tf b/terraform/azure/high-availability-new-vnet/main.tf index a24c1a9e..56495095 100755 --- a/terraform/azure/high-availability-new-vnet/main.tf +++ b/terraform/azure/high-availability-new-vnet/main.tf @@ -28,6 +28,7 @@ module "common" { authentication_type = var.authentication_type serial_console_password_hash = var.serial_console_password_hash maintenance_mode_password_hash = var.maintenance_mode_password_hash + storage_account_additional_ips = var.storage_account_additional_ips } //********************** Networking **************************// @@ -36,13 +37,14 @@ module "vnet" { vnet_name = var.vnet_name resource_group_name = module.common.resource_group_name location = module.common.resource_group_location - nsg_id = module.network-security-group.network_security_group_id + nsg_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id address_space = var.address_space subnet_prefixes = var.subnet_prefixes } module "network-security-group" { source = "../modules/network-security-group" + count = var.nsg_id == "" ? 1 : 0 resource_group_name = module.common.resource_group_name security_group_name = "${module.common.resource_group_name}_nsg" location = module.common.resource_group_location @@ -96,7 +98,6 @@ resource "azurerm_public_ip" "cluster-vip" { sku = var.sku domain_name_label = "${lower(var.cluster_name)}-vip-${random_id.random_id.hex}" public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null - } resource "azurerm_network_interface" "nic_vip" { @@ -136,8 +137,8 @@ resource "azurerm_network_interface" "nic_vip" { resource "azurerm_network_interface_backend_address_pool_association" "nic_vip_lb_association" { depends_on = [azurerm_network_interface.nic_vip, azurerm_lb_backend_address_pool.frontend-lb-pool] - network_interface_id = azurerm_network_interface.nic_vip.id - ip_configuration_name = "ipconfig1" + network_interface_id = azurerm_network_interface.nic_vip.id + ip_configuration_name = "ipconfig1" backend_address_pool_id = azurerm_lb_backend_address_pool.frontend-lb-pool.id } @@ -227,7 +228,6 @@ resource "azurerm_lb" "frontend-lb" { } resource "azurerm_lb_backend_address_pool" "frontend-lb-pool" { - resource_group_name = module.common.resource_group_name loadbalancer_id = azurerm_lb.frontend-lb.id name = "frontend-lb-pool" } @@ -248,12 +248,10 @@ resource "azurerm_lb" "backend-lb" { resource "azurerm_lb_backend_address_pool" "backend-lb-pool" { name = "backend-lb-pool" loadbalancer_id = azurerm_lb.backend-lb.id - resource_group_name = module.common.resource_group_name } resource "azurerm_lb_probe" "azure_lb_healprob" { count = 2 - resource_group_name = module.common.resource_group_name loadbalancer_id = count.index == 0 ? azurerm_lb.frontend-lb.id : azurerm_lb.backend-lb.id name = var.lb_probe_name protocol = var.lb_probe_protocol @@ -263,7 +261,6 @@ resource "azurerm_lb_probe" "azure_lb_healprob" { } resource "azurerm_lb_rule" "backend_lb_rules" { - resource_group_name = module.common.resource_group_name loadbalancer_id = azurerm_lb.backend-lb.id name = "backend-lb" protocol = "All" @@ -271,7 +268,7 @@ resource "azurerm_lb_rule" "backend_lb_rules" { backend_port = 0 frontend_ip_configuration_name = "backend-lb" load_distribution = "Default" - backend_address_pool_id = azurerm_lb_backend_address_pool.backend-lb-pool.id + backend_address_pool_ids = [azurerm_lb_backend_address_pool.backend-lb-pool.id] probe_id = azurerm_lb_probe.azure_lb_healprob[1].id enable_floating_ip = var.enable_floating_ip } @@ -306,6 +303,15 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { location = module.common.resource_group_location account_tier = module.common.storage_account_tier account_replication_type = module.common.account_replication_type + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = module.common.storage_account_ip_rules + } + blob_properties { + delete_retention_policy { + days = "15" + } + } } //********************** Virtual Machines **************************// @@ -320,12 +326,11 @@ resource "azurerm_image" "custom-image" { resource_group_name = module.common.resource_group_name os_disk { - os_type = "Linux" + os_type = "Linux" os_state = "Generalized" blob_uri = var.source_image_vhd_uri } } - resource "azurerm_virtual_machine" "vm-instance-availability-set" { depends_on = [ azurerm_network_interface.nic, @@ -347,7 +352,6 @@ resource "azurerm_virtual_machine" "vm-instance-availability-set" { identity { type = module.common.vm_instance_identity } - storage_image_reference { id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null publisher = local.custom_image_condition ? null : module.common.publisher @@ -514,12 +518,15 @@ resource "azurerm_virtual_machine" "vm-instance-availability-zone" { } } //********************** Role Assigments **************************// -data "azurerm_role_definition" "role_definition" { - name = module.common.role_definition +data "azurerm_role_definition" "virtual_machine_contributor_role_definition" { + name = "Virtual Machine Contributor" +} +data "azurerm_role_definition" "reader_role_definition" { + name = "Reader" } data "azurerm_client_config" "client_config" { } -resource "azurerm_role_assignment" "cluster_assigment" { +resource "azurerm_role_assignment" "cluster_virtual_machine_contributor_assignment" { count = 2 lifecycle { ignore_changes = [ @@ -527,6 +534,17 @@ resource "azurerm_role_assignment" "cluster_assigment" { ] } scope = module.common.resource_group_id - role_definition_id = data.azurerm_role_definition.role_definition.id + role_definition_id = data.azurerm_role_definition.virtual_machine_contributor_role_definition.id principal_id = local.availability_set_condition ? lookup(azurerm_virtual_machine.vm-instance-availability-set[count.index].identity[0], "principal_id") : lookup(azurerm_virtual_machine.vm-instance-availability-zone[count.index].identity[0], "principal_id") } +resource "azurerm_role_assignment" "cluster_reader_assigment" { + count = 2 + lifecycle { + ignore_changes = [ + role_definition_id, principal_id + ] + } + scope = module.common.resource_group_id + role_definition_id = data.azurerm_role_definition.reader_role_definition.id + principal_id = local.availability_set_condition ? lookup(azurerm_virtual_machine.vm-instance-availability-set[count.index].identity[0], "principal_id") : lookup(azurerm_virtual_machine.vm-instance-availability-zone[count.index].identity[0], "principal_id") +} \ No newline at end of file diff --git a/terraform/azure/high-availability-new-vnet/terraform.tfvars b/terraform/azure/high-availability-new-vnet/terraform.tfvars index 8da5b3f2..7cd8490e 100755 --- a/terraform/azure/high-availability-new-vnet/terraform.tfvars +++ b/terraform/azure/high-availability-new-vnet/terraform.tfvars @@ -28,6 +28,9 @@ enable_floating_ip = "PLEASE ENTER true or false" use_public_ip_prefix = "PLEASE ENTER true or false" # false create_public_ip_prefix = "PLEASE ENTER true or false" # false existing_public_ip_prefix_id = "PLEASE ENTER IP PREFIX RESOURCE ID" # "" -admin_shell = "PLEASE ETNER ADMIN SHELL" # "/etc/cli.sh" +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" -maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ No newline at end of file +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +nsg_id = "PLEASE ENTER NETWORK SECURITY GROUP ID" # "" +add_storage_account_ip_rules = "PLEASE ENTER true or false" # false +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] \ No newline at end of file diff --git a/terraform/azure/high-availability-new-vnet/variables.tf b/terraform/azure/high-availability-new-vnet/variables.tf index e02bd80a..6bb79338 100755 --- a/terraform/azure/high-availability-new-vnet/variables.tf +++ b/terraform/azure/high-availability-new-vnet/variables.tf @@ -83,7 +83,7 @@ variable "template_name" { variable "template_version" { description = "Template version. It is reccomended to always use the latest template version" type = string - default = "20210111" + default = "20230910" } variable "installation_type" { @@ -104,7 +104,7 @@ variable "vm_size" { } variable "disk_size" { - description = "Storage data disk size size(GB).Select a number between 100 and 3995" + description = "Storage data disk size size(GB). Select a number between 100 and 3995" type = string } @@ -171,6 +171,7 @@ variable "is_blink" { variable "admin_shell" { description = "The admin shell to configure on machine or the first time" type = string + default = "/etc/cli.sh" } locals { @@ -216,7 +217,7 @@ variable "lb_probe_port" { variable "lb_probe_protocol" { description = "Protocols to be used for load balancer health probes and rules" - default = "tcp" + default = "Tcp" } variable "lb_probe_unhealthy_threshold" { @@ -235,7 +236,24 @@ variable "bootstrap_script" { #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" } +variable "nsg_id" { + description = "NSG ID - Optional - if empty use default NSG" + default = "" +} + +variable "add_storage_account_ip_rules" { + type = bool + default = false + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] +} //********************** Credentials **************************// + variable "tenant_id" { description = "Tenant ID" type = string diff --git a/terraform/azure/high-availability-new-vnet/versions.tf b/terraform/azure/high-availability-new-vnet/versions.tf index 0a005a98..0d5ca4f3 100755 --- a/terraform/azure/high-availability-new-vnet/versions.tf +++ b/terraform/azure/high-availability-new-vnet/versions.tf @@ -3,10 +3,10 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 2.92.0" + version = "~> 3.81.0" } random = { - version = "~> 2.2.1" + version = "~> 3.5.1" } } } \ No newline at end of file diff --git a/terraform/azure/management-existing-vnet/README.md b/terraform/azure/management-existing-vnet/README.md index 88420291..2f9c8068 100755 --- a/terraform/azure/management-existing-vnet/README.md +++ b/terraform/azure/management-existing-vnet/README.md @@ -70,59 +70,65 @@ This solution uses the following modules: terraform apply ### terraform.tfvars variables: - | Name | Description | Type | Allowed values | - | ------------- | ------------- |------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | - | **client_secret** | passwordThe client secret of the Service Principal used to deploy the solution | string | - | | | | | | - | **client_id** | The client ID of the Service Principal used to deploy the solution | string | - | | | | | | - | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | - | | | | | | - | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | - | | | | | | - | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images. | string | - | | | | | | - | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | - | | | | | | - | **mgmt_name** | Management name. | string | - | | | | | | - | **location** | The region where the resources will be deployed at. | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | - | | | | | | - | **vnet_name** | Virtual Network name | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | - | | | | | | - | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | - | | | | | | - | **management_subnet_name** | Management subnet name | string | The exact name of the existing subnet | - | | | | | | - | **subnet_1st_Address** | The first available address of the subnet | string | - | | | | | | - | **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR. | string | - | | | | | | - | **mgmt_enable_api** | Enable api access to the management. | string | - "all";
- "management_only";
- "gui_clients"
- "disable"; - | | | | | | - | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | - | | | | | | - | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | - | | | | | | - | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | - | | | | | | - | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license for R80.40 and above;
"mgmt-25" - PAYG for R80.40 and above; | - | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | - | | | | | | - | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | - | | | | | | - | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | - | | | | | | - | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | - | | | | | | - | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | - | | | | | | - | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | - | | | | | | - | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here. | string | - | | | | | | - | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | + | Name | Description | Type | Allowed values | Default | + | ------------- | ------------- | ------------- | ------------- | ------------- | + | **client_secret** | The client secret of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | n/a + | | | | | | + | **mgmt_name** | Management name | string | | n/a + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a + | | | | | | + | **vnet_name** | Virtual Network name | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a + | | | | | | + | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | n/a + | | | | | | + | **management_subnet_name** | Management subnet name | string | The exact name of the existing subnet | n/a + | | | | | | + | **subnet_1st_Address** | The first available address of the subnet | string | | n/a + | | | | | | + | **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR | string | | n/a + | | | | | | + | **mgmt_enable_api** | Enable api access to the management | string | - "all";
- "management_only";
- "gui_clients"
- "disable"; | "disable" + | | | | | | + | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | n/a + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license;
"mgmt-25" - PAYG; | n/a + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120";| n/a + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID | "" + | | | | | | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false + | | | | | | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] ## Example @@ -151,22 +157,28 @@ This solution uses the following modules: authentication_type = "Password" admin_shell = "/etc/cli.sh" serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + nsg_id = "" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] + ## Revision History In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) | Template Version | Description | | ---------------- | ------------- | +| 20230910 | - R81.20 is the default version | +| | | | | 20221124 | - Added R81.20 support
- Upgraded azurerm provider | | | | | -| 20220111 | - Added support to select different shells. | +| 20220111 | - Added support to select different shells | | | | | | 20210309 | - Add "source_image_vhd_uri" variable for using a custom development image | | | | | -| 20210111 | First release of Check Point CloudGuard IaaS Management Terraform deployment into an existing Vnet in Azure. | +| 20210111 | First release of Check Point CloudGuard IaaS Management Terraform deployment into an existing Vnet in Azure | | | | | -| | Addition of "templateType" parameter to "cloud-version" files. | +| | Addition of "templateType" parameter to "cloud-version" files | | | | | ## License diff --git a/terraform/azure/management-existing-vnet/main.tf b/terraform/azure/management-existing-vnet/main.tf index 8050d61c..7b0d1ffe 100755 --- a/terraform/azure/management-existing-vnet/main.tf +++ b/terraform/azure/management-existing-vnet/main.tf @@ -28,6 +28,7 @@ module "common" { authentication_type = var.authentication_type serial_console_password_hash = var.serial_console_password_hash maintenance_mode_password_hash = var.maintenance_mode_password_hash + storage_account_additional_ips = var.storage_account_additional_ips } //********************** Networking **************************// @@ -42,6 +43,7 @@ resource "azurerm_public_ip" "public-ip" { location = module.common.resource_group_location resource_group_name = module.common.resource_group_name allocation_method = var.vnet_allocation_method + sku = var.sku idle_timeout_in_minutes = 30 domain_name_label = join("", [ lower(var.mgmt_name), @@ -51,6 +53,7 @@ resource "azurerm_public_ip" "public-ip" { module "network-security-group" { source = "../modules/network-security-group" + count = var.nsg_id == "" ? 1 : 0 resource_group_name = module.common.resource_group_name security_group_name = "${module.common.resource_group_name}-nsg" location = module.common.resource_group_location @@ -157,7 +160,7 @@ module "network-security-group" { resource "azurerm_network_interface_security_group_association" "security_group_association" { depends_on = [azurerm_network_interface.nic] network_interface_id = azurerm_network_interface.nic.id - network_security_group_id = module.network-security-group.network_security_group_id + network_security_group_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id } resource "azurerm_network_interface" "nic" { @@ -193,6 +196,16 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { account_tier = module.common.storage_account_tier account_replication_type = module.common.account_replication_type account_kind = "Storage" + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = module.common.storage_account_ip_rules + } + blob_properties { + delete_retention_policy { + days = "15" + } + } + } //********************** Virtual Machines **************************// diff --git a/terraform/azure/management-existing-vnet/terraform.tfvars b/terraform/azure/management-existing-vnet/terraform.tfvars index b6bb59bd..ea2f8f7e 100755 --- a/terraform/azure/management-existing-vnet/terraform.tfvars +++ b/terraform/azure/management-existing-vnet/terraform.tfvars @@ -25,3 +25,6 @@ authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +nsg_id = "PLEASE ENTER NETWORK SECURITY GROUP ID" # "" +add_storage_account_ip_rules = "PLEASE ENTER true or false" # false +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] \ No newline at end of file diff --git a/terraform/azure/management-existing-vnet/variables.tf b/terraform/azure/management-existing-vnet/variables.tf index aa648953..6030652b 100755 --- a/terraform/azure/management-existing-vnet/variables.tf +++ b/terraform/azure/management-existing-vnet/variables.tf @@ -63,7 +63,7 @@ variable "template_name" { variable "template_version" { description = "Template version. It is recommended to always use the latest template version" type = string - default = "20210111" + default = "20230910" } variable "installation_type" { @@ -78,7 +78,7 @@ variable "vm_size" { } variable "disk_size" { - description = "Storage data disk size size(GB).Select a number between 100 and 3995" + description = "Storage data disk size size(GB). Select a number between 100 and 3995" type = string } @@ -127,6 +127,7 @@ variable "allow_upload_download" { variable "admin_shell" { description = "The admin shell to configure on machine or the first time" type = string + default = "/etc/cli.sh" } locals { @@ -205,7 +206,24 @@ variable "bootstrap_script" { #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" } +variable "nsg_id" { + description = "NSG ID - Optional - if empty use default NSG" + default = "" +} + +variable "add_storage_account_ip_rules" { + type = bool + default = false + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] +} //********************** Credentials **************************// + variable "tenant_id" { description = "Tenant ID" type = string @@ -225,3 +243,9 @@ variable "client_secret" { description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." type = string } + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} diff --git a/terraform/azure/management-existing-vnet/versions.tf b/terraform/azure/management-existing-vnet/versions.tf index 0a005a98..0d5ca4f3 100755 --- a/terraform/azure/management-existing-vnet/versions.tf +++ b/terraform/azure/management-existing-vnet/versions.tf @@ -3,10 +3,10 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 2.92.0" + version = "~> 3.81.0" } random = { - version = "~> 2.2.1" + version = "~> 3.5.1" } } } \ No newline at end of file diff --git a/terraform/azure/management-new-vnet/README.md b/terraform/azure/management-new-vnet/README.md index 0e9e2419..31baa4e5 100755 --- a/terraform/azure/management-new-vnet/README.md +++ b/terraform/azure/management-new-vnet/README.md @@ -72,57 +72,63 @@ This solution uses the following modules: terraform apply ### terraform.tfvars variables: - | Name | Description | Type | Allowed values | - | ------------- | ------------- |------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | - | **client_secret** | passwordThe client secret of the Service Principal used to deploy the solution | string | - | | | | | | - | **client_id** | The client ID of the Service Principal used to deploy the solution | string | - | | | | | | - | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | - | | | | | | - | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | - | | | | | | - | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images. | string | - | | | | | | - | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | - | | | | | | - | **mgmt_name** | Management name. | string | - | | | | | | - | **location** | The region where the resources will be deployed at. | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | - | | | | | | - | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | - | | | | | | - | **address_space** | The address space that is used by a Virtual Network. | string | A valid address in CIDR notation. | - | | | | | | - | **subnet_prefix** | Address prefix to be used for network subnet | string | A valid address in CIDR notation. | - | | | | | | - | **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR. | string | - | | | | | | - | **mgmt_enable_api** | Enable api access to the management. | string | - "all";
- "management_only";
- "gui_clients"
- "disable"; - | | | | | | - | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | - | | | | | | - | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | - | | | | | | - | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | - | | | | | | - | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license for R80.40 and above;
"mgmt-25" - PAYG for R80.40 and above; | - | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | - | | | | | | - | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | - | | | | | | - | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | - | | | | | | - | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | - | | | | | | - | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | - | | | | | | - | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | - | | | | | | - | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here. | string | - | | | | | | - | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | + | Name | Description | Type | Allowed values | Default | + | ------------- | ------------- | ------------- | ------------- | ------------- | + | **client_secret** | The client secret of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | n/a + | | | | | | + | **mgmt_name** | Management name | string | | n/a + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a + | | | | | | + | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a + | | | | | | + | **address_space** | The address space that is used by a Virtual Network | string | A valid address in CIDR notation | "10.0.0.0/16" + | | | | | | + | **subnet_prefix** | Address prefix to be used for network subnet | string | A valid address in CIDR notation | "10.0.0.0/24" + | | | | | | + | **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR | string | | n/a + | | | | | | + | **mgmt_enable_api** | Enable api access to the management | string | - "all";
- "management_only";
- "gui_clients"
- "disable"; | "disable" + | | | | | | + | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | n/a + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license;
"mgmt-25" - PAYG; | n/a + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120";| n/a + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID | "" + | | | | | | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false + | | | | | | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] ## Example @@ -150,22 +156,27 @@ This solution uses the following modules: authentication_type = "Password" admin_shell = "/etc/cli.sh" serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + nsg_id = "" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] + ## Revision History In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) | Template Version | Description | | ---------------- | ------------- | +| 20230910 | - R81.20 is the default version | +| | | | | 20221124 | - Added R81.20 support
- Upgraded azurerm provider | | | | | -| 20220111 | - Added support to select different shells. | +| 20220111 | - Added support to select different shells | | | | | | 20210309 | - Add "source_image_vhd_uri" variable for using a custom development image | | | | | -| 20210111 | First release of Check Point CloudGuard IaaS Management Terraform deployment into a new Vnet in Azure. | +| 20210111 | First release of Check Point CloudGuard IaaS Management Terraform deployment into a new Vnet in Azure | | | | | -| | Addition of "templateType" parameter to "cloud-version" files. | +| | Addition of "templateType" parameter to "cloud-version" files | | | | | ## License diff --git a/terraform/azure/management-new-vnet/main.tf b/terraform/azure/management-new-vnet/main.tf index 3ac18c91..969a62cc 100755 --- a/terraform/azure/management-new-vnet/main.tf +++ b/terraform/azure/management-new-vnet/main.tf @@ -28,6 +28,7 @@ module "common" { authentication_type = var.authentication_type serial_console_password_hash = var.serial_console_password_hash maintenance_mode_password_hash = var.maintenance_mode_password_hash + storage_account_additional_ips = var.storage_account_additional_ips } //********************** Networking **************************// @@ -40,11 +41,12 @@ module "vnet" { address_space = var.address_space subnet_prefixes = [var.subnet_prefix] subnet_names = ["${var.mgmt_name}-subnet"] - nsg_id = module.network-security-group.network_security_group_id + nsg_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id } module "network-security-group" { source = "../modules/network-security-group" + count = var.nsg_id == "" ? 1 : 0 resource_group_name = module.common.resource_group_name security_group_name = "${module.common.resource_group_name}-nsg" location = module.common.resource_group_location @@ -153,6 +155,7 @@ resource "azurerm_public_ip" "public-ip" { location = module.common.resource_group_location resource_group_name = module.common.resource_group_name allocation_method = var.vnet_allocation_method + sku = var.sku idle_timeout_in_minutes = 30 domain_name_label = join("", [ lower(var.mgmt_name), @@ -161,9 +164,9 @@ resource "azurerm_public_ip" "public-ip" { } resource "azurerm_network_interface_security_group_association" "security_group_association" { - depends_on = [azurerm_network_interface.nic, module.network-security-group.network_security_group_id] + depends_on = [azurerm_network_interface.nic, module.network-security-group] network_interface_id = azurerm_network_interface.nic.id - network_security_group_id = module.network-security-group.network_security_group_id + network_security_group_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id } resource "azurerm_network_interface" "nic" { @@ -199,6 +202,15 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { account_tier = module.common.storage_account_tier account_replication_type = module.common.account_replication_type account_kind = "Storage" + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = module.common.storage_account_ip_rules + } + blob_properties { + delete_retention_policy { + days = "15" + } + } } //********************** Virtual Machines **************************// diff --git a/terraform/azure/management-new-vnet/terraform.tfvars b/terraform/azure/management-new-vnet/terraform.tfvars index e37216dd..163314eb 100755 --- a/terraform/azure/management-new-vnet/terraform.tfvars +++ b/terraform/azure/management-new-vnet/terraform.tfvars @@ -21,6 +21,9 @@ os_version = "PLEASE ENTER GAIA OS VERSION" bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" allow_upload_download = "PLEASE ENTER true or false" # true authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" -admin_shell = "PLEASE ETNER ADMIN SHELL" # "/etc/cli.sh" +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" -maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ No newline at end of file +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +nsg_id = "PLEASE ENTER NETWORK SECURITY GROUP ID" # "" +add_storage_account_ip_rules = "PLEASE ENTER true or false" # false +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] \ No newline at end of file diff --git a/terraform/azure/management-new-vnet/variables.tf b/terraform/azure/management-new-vnet/variables.tf index 1582e333..63839bd0 100755 --- a/terraform/azure/management-new-vnet/variables.tf +++ b/terraform/azure/management-new-vnet/variables.tf @@ -62,7 +62,7 @@ variable "template_name" { variable "template_version" { description = "Template version. It is reccomended to always use the latest template version" type = string - default = "20210111" + default = "20230910" } variable "installation_type" { @@ -77,7 +77,7 @@ variable "vm_size" { } variable "disk_size" { - description = "Storage data disk size size(GB).Select a number between 100 and 3995" + description = "Storage data disk size size(GB). Select a number between 100 and 3995" type = string } @@ -126,6 +126,7 @@ variable "allow_upload_download" { variable "admin_shell" { description = "The admin shell to configure on machine or the first time" type = string + default = "/etc/cli.sh" } locals { @@ -203,7 +204,24 @@ variable "bootstrap_script" { #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" } +variable "nsg_id" { + description = "NSG ID - Optional - if empty use default NSG" + default = "" +} + +variable "add_storage_account_ip_rules" { + type = bool + default = false + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] +} //********************** Credentials **************************// + variable "tenant_id" { description = "Tenant ID" type = string @@ -223,3 +241,9 @@ variable "client_secret" { description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." type = string } + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} diff --git a/terraform/azure/management-new-vnet/versions.tf b/terraform/azure/management-new-vnet/versions.tf index 12389c5c..0d5ca4f3 100755 --- a/terraform/azure/management-new-vnet/versions.tf +++ b/terraform/azure/management-new-vnet/versions.tf @@ -3,10 +3,10 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 2.92.0" + version = "~> 3.81.0" } random = { - version = "~> 2.2.1" + version = "~> 3.5.1" } } -} +} \ No newline at end of file diff --git a/terraform/azure/mds-existing-vnet/README.md b/terraform/azure/mds-existing-vnet/README.md index dc8dff16..8a973c19 100755 --- a/terraform/azure/mds-existing-vnet/README.md +++ b/terraform/azure/mds-existing-vnet/README.md @@ -70,69 +70,75 @@ This solution uses the following modules: terraform apply ### terraform.tfvars variables: - | Name | Description | Type | Allowed values | - |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | - | **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | - | | | | | | - | **client_id** | The client ID of the Service Principal used to deploy the solution | string | - | | | | | | - | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | - | | | | | | - | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | - | | | | | | - | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | - | | | | | | - | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | - | | | | | | - | **mds_name** | MDS name | string | - | | | | | | - | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | - | | | | | | - | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | - | | | | | | - | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | - | | | | | | - | **management_subnet_name** | Specifies the name of the external subnet | string | The exact name of the existing external subnet | - | | | | | | - | **subnet_1st_Address** | First available address in management subnet | string | - | | | | | | - | **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR | string | - | | | | | | - | **mds_enable_api** | Enable api access to the mds | string | - "all";
- "management_only";
- "gui_clients"
- "disable"; - | | | | | | - | **admin_password** | The password associated with the local administrator account on the mds | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | - | | | | | | - | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | - | | | | | | - | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | - | | | | | | - | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license for R80.40 and above;
"mgmt-25" - PAYG for R80.40 and above; | - | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | - | | | | | | - | **os_version** | GAIA OS version | string | "R80.40";
"R81";
"R81.10";
"R81.20"; | - | | | | | | - | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | - | | | | | | - | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | - | | | | | | - | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | - | | | | | | - | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | - | | | | | | - | **sic_key** | Set the Secure Internal Communication one time secret used to set up trust between the primary and secondary servers. SIC key must be provided if installing a secondary Multi-Domain Server | - | | | | | | - | **installation_type** | Enables to select installation type - gateway/standalone | string | mds-primary;
mds-secondary;
mds-logserver; | - | | | | | | - | **primary** | Indicates if the installation type is mds-primary | boolean | true;
false; | - | | | | | | - | **secondary** | Indicates if the installation type is mds-secondary | boolean | true;
false; | - | | | | | | - | **logserver** | Indicates if the installation type is mds-logserver | boolean | true;
false; | + | Name | Description | Type | Allowed values | Default | + | ------------- | ------------- | ------------- | ------------- | ------------- | + | **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | n/a + | | | | | | + | **mds_name** | MDS name | string | | n/a + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a + | | | | | | + | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a + | | | | | | + | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | n/a + | | | | | | + | **management_subnet_name** | Specifies the name of the external subnet | string | The exact name of the existing external subnet | n/a + | | | | | | + | **subnet_1st_Address** | First available address in management subnet | string | | n/a + | | | | | | + | **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR | string | | n/a + | | | | | | + | **mds_enable_api** | Enable api access to the mds | string | - "all";
- "management_only";
- "gui_clients"
- "disable"; | "disable" + | | | | | | + | **admin_password** | The password associated with the local administrator account on the mds | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | n/a + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license;
"mgmt-25" - PAYG; | n/a + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120";| n/a + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" + | | | | | | + | **sic_key** | Set the Secure Internal Communication one time secret used to set up trust between the primary and secondary servers. SIC key must be provided if installing a secondary Multi-Domain Server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a + | | | | | | + | **installation_type** | Enables to select installation type - gateway/standalone | string | mds-primary;
mds-secondary;
mds-logserver; | n/a + | | | | | | + | **primary** | Indicates if the installation type is mds-primary | boolean | true;
false; | n/a + | | | | | | + | **secondary** | Indicates if the installation type is mds-secondary | boolean | true;
false; | n/a + | | | | | | + | **logserver** | Indicates if the installation type is mds-logserver | boolean | true;
false; | n/a | | | | | | - | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here. | string | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a | | | | | | - | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID | "" + | | | | | | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false + | | | | | | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] ## Example @@ -167,12 +173,17 @@ This solution uses the following modules: logserver = "false" serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - + nsg_id = "" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] + ## Revision History In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------| +| 20230910 | - R81.20 is the default version | +| | | | | 20230629 | First release of Check Point CloudGuard Network Security MDS Terraform deployment for Azure | | | | | diff --git a/terraform/azure/mds-existing-vnet/main.tf b/terraform/azure/mds-existing-vnet/main.tf index 57d1f095..ff654c86 100755 --- a/terraform/azure/mds-existing-vnet/main.tf +++ b/terraform/azure/mds-existing-vnet/main.tf @@ -28,6 +28,7 @@ module "common" { authentication_type = var.authentication_type serial_console_password_hash = var.serial_console_password_hash maintenance_mode_password_hash = var.maintenance_mode_password_hash + storage_account_additional_ips = var.storage_account_additional_ips } //********************** Networking **************************// @@ -42,6 +43,7 @@ resource "azurerm_public_ip" "public-ip" { location = module.common.resource_group_location resource_group_name = module.common.resource_group_name allocation_method = var.vnet_allocation_method + sku = var.sku idle_timeout_in_minutes = 30 domain_name_label = join("", [ lower(var.mds_name), @@ -51,6 +53,7 @@ resource "azurerm_public_ip" "public-ip" { module "network-security-group" { source = "../modules/network-security-group" + count = var.nsg_id == "" ? 1 : 0 resource_group_name = module.common.resource_group_name security_group_name = "${module.common.resource_group_name}-nsg" location = module.common.resource_group_location @@ -157,7 +160,7 @@ module "network-security-group" { resource "azurerm_network_interface_security_group_association" "security_group_association" { depends_on = [azurerm_network_interface.nic] network_interface_id = azurerm_network_interface.nic.id - network_security_group_id = module.network-security-group.network_security_group_id + network_security_group_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id } resource "azurerm_network_interface" "nic" { @@ -193,6 +196,16 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { account_tier = module.common.storage_account_tier account_replication_type = module.common.account_replication_type account_kind = "Storage" + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = module.common.storage_account_ip_rules + } + blob_properties { + delete_retention_policy { + days = "15" + } + } + } //********************** Virtual Machines **************************// diff --git a/terraform/azure/mds-existing-vnet/terraform.tfvars b/terraform/azure/mds-existing-vnet/terraform.tfvars index 700f850d..61547ee1 100755 --- a/terraform/azure/mds-existing-vnet/terraform.tfvars +++ b/terraform/azure/mds-existing-vnet/terraform.tfvars @@ -29,4 +29,7 @@ primary = "PLEASE ENTER true or false" # " secondary = "PLEASE ENTER true or false" # "false" logserver = "PLEASE ENTER true or false" # "false" serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" -maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ No newline at end of file +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +nsg_id = "PLEASE ENTER NETWORK SECURITY GROUP ID" # "" +add_storage_account_ip_rules = "PLEASE ENTER true or false" # false +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] \ No newline at end of file diff --git a/terraform/azure/mds-existing-vnet/variables.tf b/terraform/azure/mds-existing-vnet/variables.tf index 0951961f..8896ceae 100755 --- a/terraform/azure/mds-existing-vnet/variables.tf +++ b/terraform/azure/mds-existing-vnet/variables.tf @@ -63,7 +63,7 @@ variable "template_name" { variable "template_version" { description = "Template version. It is recommended to always use the latest template version" type = string - default = "20230629" + default = "20230910" } variable "installation_type" { @@ -98,7 +98,7 @@ variable "vm_size" { } variable "disk_size" { - description = "Storage data disk size size(GB).Select a number between 100 and 3995" + description = "Storage data disk size size(GB). Select a number between 100 and 3995" type = string } @@ -226,7 +226,24 @@ variable "bootstrap_script" { #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" } +variable "nsg_id" { + description = "NSG ID - Optional - if empty use default NSG" + default = "" +} + +variable "add_storage_account_ip_rules" { + type = bool + default = false + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] +} //********************** Credentials **************************// + variable "tenant_id" { description = "Tenant ID" type = string @@ -255,3 +272,9 @@ variable sic_key { resource "null_resource" "sic_key_invalid" { count = length(var.sic_key) >= 12 ? 0 : "SIC key must be at least 12 characters long" } + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} diff --git a/terraform/azure/mds-existing-vnet/versions.tf b/terraform/azure/mds-existing-vnet/versions.tf index 0a005a98..0d5ca4f3 100755 --- a/terraform/azure/mds-existing-vnet/versions.tf +++ b/terraform/azure/mds-existing-vnet/versions.tf @@ -3,10 +3,10 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 2.92.0" + version = "~> 3.81.0" } random = { - version = "~> 2.2.1" + version = "~> 3.5.1" } } } \ No newline at end of file diff --git a/terraform/azure/mds-new-vnet/README.md b/terraform/azure/mds-new-vnet/README.md index b126b29a..5bfb7bc6 100755 --- a/terraform/azure/mds-new-vnet/README.md +++ b/terraform/azure/mds-new-vnet/README.md @@ -72,61 +72,67 @@ This solution uses the following modules: terraform apply ### terraform.tfvars variables: - | Name | Description | Type | Allowed values | - |------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | - | **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | - | | | | | | - | **client_id** | The client ID of the Service Principal used to deploy the solution | string | - | | | | | | - | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | - | | | | | | - | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | - | | | | | | - | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | - | | | | | | - | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | - | | | | | | - | **mds_name** | MDS name | string | - | | | | | | - | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | - | | | | | | - | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | - | | | | | | - | **address_space** | The address space that is used by a Virtual Network | string | A valid address in CIDR notation. | - | | | | | | - | **subnet_prefix** | Address prefix to be used for network subnet | string | A valid address in CIDR notation. | - | | | | | | - | **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR | string | - | | | | | | - | **mds_enable_api** | Enable api access to the mds | string | - "all";
- "management_only";
- "gui_clients"
- "disable"; - | | | | | | - | **admin_password** | The password associated with the local administrator account on the mds | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | - | | | | | | - | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | - | | | | | | - | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | - | | | | | | - | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license for R80.40 and above;
"mgmt-25" - PAYG for R80.40 and above; | - | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | - | | | | | | - | **os_version** | GAIA OS version | string | "R80.40";
"R81";
"R81.10";
"R81.20"; | - | | | | | | - | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | - | | | | | | - | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | - | | | | | | - | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | - | | | | | | - | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | - | | | | | | - | **sic_key** | Set the Secure Internal Communication one time secret used to set up trust between the primary and secondary servers. SIC key must be provided if installing a secondary Multi-Domain Server | - | | | | | | - | **installation_type** | Enables to select installation type- gateway/standalone | string | mds-primary;
mds-secondary;
mds-logserver; | + | Name | Description | Type | Allowed values | Default | + | ------------- | ------------- | ------------- | ------------- | ------------- | + | **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | n/a + | | | | | | + | **mds_name** | MDS name | string | | n/a + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a + | | | | | | + | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a + | | | | | | + | **address_space** | The address space that is used by a Virtual Network | string | A valid address in CIDR notation | "10.0.0.0/16" + | | | | | | + | **subnet_prefix** | Address prefix to be used for network subnet | string | A valid address in CIDR notation | "10.0.0.0/24" + | | | | | | + | **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR | string | | n/a + | | | | | | + | **mds_enable_api** | Enable api access to the mds | string | - "all";
- "management_only";
- "gui_clients"
- "disable"; | "disable" + | | | | | | + | **admin_password** | The password associated with the local administrator account on the mds | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | n/a + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "mgmt-byol" - BYOL license;
"mgmt-25" - PAYG; | n/a + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120";| n/a + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" + | | | | | | + | **sic_key** | Set the Secure Internal Communication one time secret used to set up trust between the primary and secondary servers. SIC key must be provided if installing a secondary Multi-Domain Server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a + | | | | | | + | **installation_type** | Enables to select installation type- gateway/standalone | string | mds-primary;
mds-secondary;
mds-logserver; | n/a | | | | | | - | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here. | string | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a | | | | | | - | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID | "" + | | | | | | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false + | | | | | | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] ## Example @@ -159,13 +165,18 @@ This solution uses the following modules: secondary = "false" logserver = "false" serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + nsg_id = "" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] + ## Revision History In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------| +| 20230910 | - R81.20 is the default version | +| | | | | 20230629 | First release of Check Point CloudGuard Network Security MDS Terraform deployment for Azure | | | | | diff --git a/terraform/azure/mds-new-vnet/main.tf b/terraform/azure/mds-new-vnet/main.tf index 0b78214f..f3162e70 100755 --- a/terraform/azure/mds-new-vnet/main.tf +++ b/terraform/azure/mds-new-vnet/main.tf @@ -28,6 +28,7 @@ module "common" { authentication_type = var.authentication_type serial_console_password_hash = var.serial_console_password_hash maintenance_mode_password_hash = var.maintenance_mode_password_hash + storage_account_additional_ips = var.storage_account_additional_ips } //********************** Networking **************************// @@ -40,11 +41,12 @@ module "vnet" { address_space = var.address_space subnet_prefixes = [var.subnet_prefix] subnet_names = ["${var.mds_name}-subnet"] - nsg_id = module.network-security-group.network_security_group_id + nsg_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id } module "network-security-group" { source = "../modules/network-security-group" + count = var.nsg_id == "" ? 1 : 0 resource_group_name = module.common.resource_group_name security_group_name = "${module.common.resource_group_name}-nsg" location = module.common.resource_group_location @@ -153,6 +155,7 @@ resource "azurerm_public_ip" "public-ip" { location = module.common.resource_group_location resource_group_name = module.common.resource_group_name allocation_method = var.vnet_allocation_method + sku = var.sku idle_timeout_in_minutes = 30 domain_name_label = join("", [ lower(var.mds_name), @@ -161,9 +164,9 @@ resource "azurerm_public_ip" "public-ip" { } resource "azurerm_network_interface_security_group_association" "security_group_association" { - depends_on = [azurerm_network_interface.nic, module.network-security-group.network_security_group_id] + depends_on = [azurerm_network_interface.nic, module.network-security-group] network_interface_id = azurerm_network_interface.nic.id - network_security_group_id = module.network-security-group.network_security_group_id + network_security_group_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id } resource "azurerm_network_interface" "nic" { @@ -199,6 +202,16 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { account_tier = module.common.storage_account_tier account_replication_type = module.common.account_replication_type account_kind = "Storage" + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = module.common.storage_account_ip_rules + } + blob_properties { + delete_retention_policy { + days = "15" + } + } + } //********************** Virtual Machines **************************// diff --git a/terraform/azure/mds-new-vnet/terraform.tfvars b/terraform/azure/mds-new-vnet/terraform.tfvars index 9c789043..7a1045b3 100755 --- a/terraform/azure/mds-new-vnet/terraform.tfvars +++ b/terraform/azure/mds-new-vnet/terraform.tfvars @@ -28,4 +28,7 @@ primary = "PLEASE ENTER true or false" # " secondary = "PLEASE ENTER true or false" # "false" logserver = "PLEASE ENTER true or false" # "false" serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" -maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ No newline at end of file +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +nsg_id = "PLEASE ENTER NETWORK SECURITY GROUP ID" # "" +add_storage_account_ip_rules = "PLEASE ENTER true or false" # false +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] \ No newline at end of file diff --git a/terraform/azure/mds-new-vnet/variables.tf b/terraform/azure/mds-new-vnet/variables.tf index 49d00ff5..9ce9d0ba 100755 --- a/terraform/azure/mds-new-vnet/variables.tf +++ b/terraform/azure/mds-new-vnet/variables.tf @@ -62,7 +62,7 @@ variable "template_name" { variable "template_version" { description = "Template version. It is recommended to always use the latest template version" type = string - default = "20230629" + default = "20230910" } variable "installation_type" { @@ -97,7 +97,7 @@ variable "vm_size" { } variable "disk_size" { - description = "Storage data disk size size(GB).Select a number between 100 and 3995" + description = "Storage data disk size size(GB). Select a number between 100 and 3995" type = string } @@ -224,6 +224,23 @@ variable "bootstrap_script" { #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" } +variable "nsg_id" { + description = "NSG ID - Optional - if empty use default NSG" + default = "" +} + +variable "add_storage_account_ip_rules" { + type = bool + default = false + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] +} + //********************** Credentials **************************// variable "tenant_id" { description = "Tenant ID" @@ -253,3 +270,9 @@ variable "sic_key" { resource "null_resource" "sic_key_invalid" { count = length(var.sic_key) >= 12 ? 0 : "SIC key must be at least 12 characters long" } + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} \ No newline at end of file diff --git a/terraform/azure/mds-new-vnet/versions.tf b/terraform/azure/mds-new-vnet/versions.tf index 12389c5c..de940e72 100755 --- a/terraform/azure/mds-new-vnet/versions.tf +++ b/terraform/azure/mds-new-vnet/versions.tf @@ -3,10 +3,10 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 2.92.0" + version = "~> 3.81.0" } random = { - version = "~> 2.2.1" + version = "~> 3.5.1" } } } diff --git a/terraform/azure/modules/add-routing-intent.py b/terraform/azure/modules/add-routing-intent.py deleted file mode 100755 index 87437061..00000000 --- a/terraform/azure/modules/add-routing-intent.py +++ /dev/null @@ -1,29 +0,0 @@ -import json -import requests -import sys - - -def perform_put_request(url, data, headers=None): - """ - This function perform the PUT request to Azure in order to edit the vWAN Hub Routing-Intent - """ - result = {"status": "success", "message": ""} - try: - response = requests.put(url, json=data, headers=headers) - result["message"] = response.text - except Exception as e: - result["status"] = "error" - result["message"] = f"An error occurred: {str(e)}" - return result - - -if __name__ == "__main__": - """ - This script receives url, body, and authorization token as arguments and set vWAN Hub Routing-Intent - """ - api_url = sys.argv[1] - api_data = eval(sys.argv[2]) - auth_token = sys.argv[3] - api_headers = {"Authorization": f'Bearer {auth_token}'} - result = perform_put_request(api_url, api_data, api_headers) - print(json.dumps(result)) diff --git a/terraform/azure/modules/common/outputs.tf b/terraform/azure/modules/common/outputs.tf index f491047d..1d4ad2b0 100755 --- a/terraform/azure/modules/common/outputs.tf +++ b/terraform/azure/modules/common/outputs.tf @@ -122,6 +122,9 @@ output "boot_diagnostics" { value = var.boot_diagnostics } +output "storage_account_ip_rules" { + value = local.storage_account_ip_rules +} output "role_definition" { value = var.role_definition } \ No newline at end of file diff --git a/terraform/azure/modules/common/variables.tf b/terraform/azure/modules/common/variables.tf index 4a5c6fb9..e768159b 100755 --- a/terraform/azure/modules/common/variables.tf +++ b/terraform/azure/modules/common/variables.tf @@ -17,7 +17,7 @@ variable "location" { //************** Virtual machine instance variables ************** variable "admin_username" { description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" - type = string + type = string default = "notused" } @@ -48,6 +48,65 @@ variable "boot_diagnostics" { default = true } +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] + validation { + condition = !contains(var.storage_account_additional_ips, "0.0.0.0") && can([for ip in var.storage_account_additional_ips: regex("^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$", ip)]) + error_message = "Invalid IPv4 address." + } +} +locals { + serial_console_ips_per_location = { + "eastasia" : ["20.205.69.28", "20.195.85.180"], + "southeastasia" : ["20.205.69.28", "20.195.85.180"], + "australiacentral" : ["20.53.53.224", "20.70.222.112"], + "australiacentral2" : ["20.53.53.224", "20.70.222.112"], + "australiaeast" : ["20.53.53.224", "20.70.222.112"], + "australiasoutheast" : ["20.53.53.224", "20.70.222.112"], + "brazilsouth" : ["91.234.136.63", "20.206.0.194"], + "brazilsoutheast" : ["91.234.136.63", "20.206.0.194"], + "canadacentral" : ["52.228.86.177", "52.242.40.90"], + "canadaeast" : ["52.228.86.177", "52.242.40.90"], + "northeurope" : ["52.146.139.220", "20.105.209.72"], + "westeurope" : ["52.146.139.220", "20.105.209.72"], + "francecentral" : ["20.111.0.244", "52.136.191.10"], + "francesouth" : ["20.111.0.244", "52.136.191.10"], + "germanynorth" : ["51.116.75.88", "20.52.95.48"], + "germanywestcentral" : ["51.116.75.88", "20.52.95.48"], + "centralindia" : ["20.192.168.150", "20.192.153.104"], + "southindia" : ["20.192.168.150", "20.192.153.104"], + "westindia" : ["20.192.168.150", "20.192.153.104"], + "japaneast" : ["20.43.70.205", "20.189.228.222"], + "japanwest" : ["20.43.70.205", "20.189.228.222"], + "koreacentral" : ["20.200.196.96", "52.147.119.29"], + "koreasouth" : ["20.200.196.96", "52.147.119.29"], + "norwaywest" : ["20.100.1.184", "51.13.138.76"], + "norwayeast" : ["20.100.1.184", "51.13.138.76"], + "switzerlandnorth" : ["20.208.4.98", "51.107.251.190"], + "switzerlandwest" : ["20.208.4.98", "51.107.251.190"], + "uaecentral" : ["20.45.95.66", "20.38.141.5"], + "uaenorth" : ["20.45.95.66", "20.38.141.5"], + "uksouth" : ["20.90.132.144", "20.58.68.62"], + "ukwest" : ["20.90.132.144", "20.58.68.62"], + "swedencentral" : ["51.12.72.223", "51.12.22.174"], + "swedensouth" : ["51.12.72.223", "51.12.22.174"], + "centralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "northcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "southcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus3" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2euap" : ["20.45.242.18", "20.51.21.252"], + "centraluseuap" : ["20.45.242.18", "20.51.21.252"] + } + serial_console_ips = contains(keys(local.serial_console_ips_per_location),var.location) ? local.serial_console_ips_per_location[var.location] : [] + storage_account_ip_rules = concat(local.serial_console_ips, var.storage_account_additional_ips) +} variable "vm_instance_identity_type" { description = "Managed Service Identity type" type = string @@ -171,6 +230,7 @@ locals { // locals for 'vm_os_offer' allowed values ] // will fail if [var.vm_os_offer] is invalid: validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) + validate_os_version_match = regex(split("-", var.vm_os_offer)[3], lower(var.os_version)) } variable "vm_os_sku" { @@ -251,7 +311,7 @@ locals { // locals for 'account_replication_type' allowed values } variable "disk_size" { - description = "Storage data disk size size(GB).Select a number between 100 and 3995" + description = "Storage data disk size size(GB). Select a number between 100 and 3995" type = string } diff --git a/terraform/azure/modules/vnet/main.tf b/terraform/azure/modules/vnet/main.tf index 4f9a318b..2c67fc4f 100755 --- a/terraform/azure/modules/vnet/main.tf +++ b/terraform/azure/modules/vnet/main.tf @@ -45,7 +45,7 @@ resource "azurerm_route_table" "frontend" { route { name = "Local-Subnet" - address_prefix = azurerm_subnet.subnet[0].address_prefix + address_prefix = azurerm_subnet.subnet[0].address_prefixes[0] next_hop_type = local.next_hop_type_allowed_values[1] } route { diff --git a/terraform/azure/modules/vnet/variables.tf b/terraform/azure/modules/vnet/variables.tf index 77e8a518..1f64d28e 100755 --- a/terraform/azure/modules/vnet/variables.tf +++ b/terraform/azure/modules/vnet/variables.tf @@ -1,6 +1,6 @@ variable "vnet_name" { description = "Name of Virtual Network" - type = string + type = string default = "vnet01" } @@ -16,7 +16,7 @@ variable "location" { variable "address_space" { description = "The address prefixes of the virtual network" - type = string + type = string default = "10.0.0.0/16" } @@ -28,7 +28,7 @@ variable "dns_servers" { variable "subnet_prefixes" { description = "The address prefixes to be used for subnets" - type = list(string) + type = list(string) default = ["10.0.0.0/24","10.0.1.0/24"] } diff --git a/terraform/azure/nva-into-existing-hub/README.md b/terraform/azure/nva-into-existing-hub/README.md index 6b05846d..253cce89 100755 --- a/terraform/azure/nva-into-existing-hub/README.md +++ b/terraform/azure/nva-into-existing-hub/README.md @@ -59,67 +59,63 @@ please see the [CloudGuard Network for Azure Virtual WAN Deployment Guide](https terraform apply ### terraform.tfvars variables: - | Name | Description | Type | Allowed values | - |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | - | **authentication_method** | The authentication method used to deploy the solution | string | "Service Principal";
"Azure CLI"; + | Name | Description | Type | Allowed values | Default | + |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | ------------- | + | **authentication_method** | The authentication method used to deploy the solution | string | "Service Principal";
"Azure CLI"; | n/a | | - | **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | - | | | | | | - | **client_id** | The client ID of the Service Principal used to deploy the solution | string | - | | | | | | - | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | - | | | | | | - | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | - | | | | | | - | **resource-group-name** | The name of the resource group that will contain the managed application | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | - | | | | | | - | **location** | The region where the resources will be deployed at | string | The full list of supported Azure regions can be found at https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-locations-partners#locations | - | | | | | | - | **vwan-hub-name** | The name of the virtual WAN hub that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | - | | | | | | - | **vwan-hub-resource-group** | The vWAN hub resource group name | string | | - | | | | | | - | **managed-app-name** | The name of the managed application that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | - | | | | | | - | **nva-name** | The name of the NVA that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | - | | | | | | - | **nva-rg-name** | The name of the resource group that will contain the NVA | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | - | | | | | | - | **os-version** | The GAIA os version | string | "R8110"
"R8120" | - | | | | | | - | **license-type** | The Check Point licence type | string | "Security Enforcement (NGTP)"
"Full Package (NGTX + S1C)"
"Full Package Premium (NGTX + S1C++)" | - | | | | | | | | | | - | **scale-unit** | The scale unit determines the size and number of resources deployed. The higher the scale unit, the greater the amount of traffic that can be handled. | string | "2"
"4"
"10"
"20"
"30"
"60"
"80"
| - | | | | | | - | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | - | | | | | | | | | | - | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | - | | | | | | - | **sic-key** | The Secure Internal Communication one time secret used to set up trust between the gateway object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | - | | | | | | - | **ssh-public-key** | The public ssh key used for ssh connection to the NVA GW instances | string | ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx generated-by-azure; | | string | gateway;
standalone; | - | | | | | | - | **bgp-asn** | The BGP autonomous system number. | string | 64512 || - | | | | | | - | **custom-metrics** | Indicates whether CloudGuard Metrics will be use for gateway monitoring | string | yes;
no; | - | | | | | | - | **routing-intent-internet-traffic** | Set routing intent policy to allow internet traffic through the new nva | string | yes;
no;
Please verify routing-intent is configured successfully post-deployment. | - | | | | | | - | **routing-intent-private-traffic** | Set routing intent policy to allow private traffic through the new nva | string | yes;
no;
Please verify routing-intent is configured successfully post-deployment. | - | | | | | | - | **smart1-cloud-token-a** | Smart-1 Cloud token to connect automatically ***NVA instance a*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | | - | | | | | | - | **smart1-cloud-token-b** | Smart-1 Cloud token to connect automatically ***NVA instance b*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | | - | | | | | | - | **smart1-cloud-token-c** | Smart-1 Cloud token to connect automatically ***NVA instance c*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | | - | | | | | | - | **smart1-cloud-token-d** | Smart-1 Cloud token to connect automatically ***NVA instance d*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | | - | | | | | | - | **smart1-cloud-token-e** | Smart-1 Cloud token to connect automatically ***NVA instance e*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | | - | | | | | | - | **existing-public-ip** | Existing public IP reosurce to attach to the newly deployed NVA | string | A resource ID of the public IP resource | n/a | | - | | | | | | - | **new-public-ip** | Deploy a new public IP resource as part of the managed app and attach to the NVA | string | yes;
no;| yes | | + | **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **resource-group-name** | The name of the resource group that will contain the managed application | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period| "tf-managed-app-resource-group" | + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of supported Azure regions can be found at https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-locations-partners#locations | "westcentralus" | + | | | | | | + | **vwan-hub-name** | The name of the virtual WAN hub that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a | + | | | | | | + | **vwan-hub-resource-group** | The vWAN hub resource group name | string | | n/a | + | | | | | | + | **managed-app-name** | The name of the managed application that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | "tf-vwan-managed-app-nva" | + | | | | | | + | **nva-name** | The name of the NVA that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | "tf-vwan-nva" | + | | | | | | + | **nva-rg-name** | The name of the resource group that will contain the NVA | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | "tf-vwan-nva-rg"| + | | | | | | + | **os-version** | The GAIA os version | string | "R8110"
"R8120" | "R8120" | + | | | | | | + | **license-type** | The Check Point licence type | string | "Security Enforcement (NGTP)"
"Full Package (NGTX + S1C)"
"Full Package Premium (NGTX + S1C++)" | "Security Enforcement (NGTP)" | + | | | | | | | | | | + | **scale-unit** | The scale unit determines the size and number of resources deployed. The higher the scale unit, the greater the amount of traffic that can be handled. | string | "2"
"4"
"10"
"20"
"30"
"60"
"80"
| "2" | + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" + | | | | | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" | + | | | | | | + | **sic-key** | The Secure Internal Communication one time secret used to set up trust between the gateway object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a | + | | | | | | + | **ssh-public-key** | The public ssh key used for ssh connection to the NVA GW instances | string | ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx generated-by-azure; | n/a | | string | gateway;
standalone; | + | | | | | | + | **bgp-asn** | The BGP autonomous system number | string | 64512 | "64512" || + | | | | | | + | **custom-metrics** | Indicates whether CloudGuard Metrics will be use for gateway monitoring | string | yes;
no; | "yes" | + | | | | | | + | **routing-intent-internet-traffic** | Set routing intent policy to allow internet traffic through the new nva | string | yes;
no;
Please verify routing-intent is configured successfully post-deployment | "yes" | + | | | | | | + | **routing-intent-private-traffic** | Set routing intent policy to allow private traffic through the new nva | string | yes;
no;
Please verify routing-intent is configured successfully post-deployment | "yes" | + | | | | | | + | **smart1-cloud-token-a** | Smart-1 Cloud token to connect automatically ***NVA instance a*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | | | | | | + | **smart1-cloud-token-b** | Smart-1 Cloud token to connect automatically ***NVA instance b*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | | | | | | + | **smart1-cloud-token-c** | Smart-1 Cloud token to connect automatically ***NVA instance c*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | | | | | | + | **smart1-cloud-token-d** | Smart-1 Cloud token to connect automatically ***NVA instance d*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | | | | | | + | **smart1-cloud-token-e** | Smart-1 Cloud token to connect automatically ***NVA instance e*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | | | ## Conditional creation @@ -166,7 +162,7 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | |------------------|-------------------| | 20240228 | Added public IP for ingress support | | | -| 20231226 | First release of Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure| | +| 20231226 | First release of Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure | | ## License diff --git a/terraform/azure/nva-into-existing-hub/variables.tf b/terraform/azure/nva-into-existing-hub/variables.tf index fad0db9e..d00283d4 100755 --- a/terraform/azure/nva-into-existing-hub/variables.tf +++ b/terraform/azure/nva-into-existing-hub/variables.tf @@ -63,6 +63,7 @@ variable "nva-name" { variable "os-version" { description = "GAIA OS version" type = string + default = "R8120" validation { condition = contains(["R8110", "R8120"], var.os-version) error_message = "Allowed values for os-version are 'R8110', 'R8120'" diff --git a/terraform/azure/nva-into-new-vwan/README.md b/terraform/azure/nva-into-new-vwan/README.md index 4e151b9c..c7f06c09 100755 --- a/terraform/azure/nva-into-new-vwan/README.md +++ b/terraform/azure/nva-into-new-vwan/README.md @@ -1,6 +1,6 @@ # Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure -This Terraform module deploys Check Point CloudGuard Network Security Virtual WAN NVA solution into a new Virtual WAN Hub in Azure. +This Terraform module deploys Check Point CloudGuard Network Security vWAN NVA solution into a new vWAN Hub in Azure. As part of the deployment the following resources are created: - Resource groups - Virtual WAN @@ -12,6 +12,7 @@ As part of the deployment the following resources are created: For additional information, please see the [CloudGuard Network for Azure Virtual WAN Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_Azure_vWAN/Default.htm) + ## Configurations - Install and configure Terraform to provision Azure resources: [Configure Terraform for Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-install-configure). - In order to configure hub routing-intent policies it is **required** to have Python and 'requests' library installed. @@ -61,69 +62,69 @@ please see the [CloudGuard Network for Azure Virtual WAN Deployment Guide](https terraform apply ### terraform.tfvars variables: - | Name | Description | Type | Allowed values | - |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | - | **authentication_method** | The authentication method used to deploy the solution | string | "Service Principal";
"Azure CLI"; + | Name | Description | Type | Allowed values | Default | + |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | ------------- | + | **authentication_method** | The authentication method used to deploy the solution | string | "Service Principal";
"Azure CLI"; | n/a | | - | **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | - | | | | | | - | **client_id** | The client ID of the Service Principal used to deploy the solution | string | - | | | | | | - | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | - | | | | | | - | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | - | | | | | | - | **resource-group-name** | The name of the resource group that will contain the managed application | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | - | | | | | | - | **location** | The region where the resources will be deployed at | string | The full list of supported Azure regions can be found at https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-locations-partners#locations | - | | | | | | - | **vwan-name** | The name of the virtual WAN that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | - | | | | | | - | **vwan-hub-name** | The name of the virtual WAN hub that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | - | | | | | | - | **vwan-hub-address-prefix** | The address prefixes of the virtual hub | string | Valid CIDR block | - | | | | | | - | **managed-app-name** | The name of the managed application that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | - | | | | | | - | **nva-name** | The name of the NVA that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | - | | | | | | - | **nva-rg-name** | The name of the resource group that will contain the NVA | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | - | | | | | | - | **os-version** | The GAIA os version | string | "R8110"
"R8120" | - | | | | | | - | **license-type** | The Check Point licence type | string | "Security Enforcement (NGTP)"
"Full Package (NGTX + S1C)"
"Full Package Premium (NGTX + S1C++)" | - | | | | | | - | **scale-unit** | The scale unit determines the size and number of resources deployed. The higher the scale unit, the greater the amount of traffic that can be handled. | string | "2"
"4"
"10"
"20"
"30"
"60"
"80"
| - | | | | | | - | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | - | | | | | | | | | | - | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | - | | | | | | - | **sic-key** | The Secure Internal Communication one time secret used to set up trust between the gateway object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | - | | | | | | - | **ssh-public-key** | The public ssh key used for ssh connection to the NVA GW instances | string | ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx generated-by-azure; | | string | gateway;
standalone; | - | | | | | | - | **bgp-asn** | The BGP autonomous system number. | string | 64512 || - | | | | | | - | **custom-metrics** | Indicates whether CloudGuard Metrics will be use for gateway monitoring | string | yes;
no; | - | | | | | | - | **routing-intent-internet-traffic** | Set routing intent policy to allow internet traffic through the new nva | string | yes;
no;
Please verify routing-intent is configured successfully post-deployment. | - | | | | | | - | **routing-intent-private-traffic** | Set routing intent policy to allow private traffic through the new nva | string | yes;
no;
Please verify routing-intent is configured successfully post-deployment. | - | | | | | | - | **smart1-cloud-token-a** | Smart-1 Cloud token to connect automatically ***NVA instance a*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | | - | | | | | | - | **smart1-cloud-token-b** | Smart-1 Cloud token to connect automatically ***NVA instance b*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | | - | | | | | | - | **smart1-cloud-token-c** | Smart-1 Cloud token to connect automatically ***NVA instance c*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | | - | | | | | | - | **smart1-cloud-token-d** | Smart-1 Cloud token to connect automatically ***NVA instance d*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | | + | **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | | n/a + | || | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | || | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | || | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | || | | | + | **resource-group-name** | The name of the resource group that will contain the managed application | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | "managed-app-resource-group" | + | || | | | + | **location** | The region where the resources will be deployed at | string | The full list of supported Azure regions can be found at https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-locations-partners#locations | "westcentralus" | + | || | | | + | **vwan-name** | The name of the virtual WAN that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | "tf-vwan" | + | || | | | + | **vwan-hub-name** | The name of the virtual WAN hub that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | "tf-vwan-hub" | + | || | | | + | **vwan-hub-address-prefix** | The address prefixes of the virtual hub | string | Valid CIDR block | "10.0.0.0/16" | + | || | | | + | **managed-app-name** | The name of the managed application that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | tf-vwan-managed-app | + | || | | | + | **nva-name** | The name of the NVA that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | tf-vwan-nva | + | || | | | + | **nva-rg-name** | The name of the resource group that will contain the NVA | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | tf-vwan-nva-rg | + | || | | | + | **os-version** | The GAIA os version| string | "R8110"
"R8120" | "R8120" | + | || | | | + | **license-type** | The Check Point licence type | string | "Security Enforcement (NGTP)"
"Full Package (NGTX + S1C)"
"Full Package Premium (NGTX + S1C++)" | "Security Enforcement (NGTP)" | + | || | | | + | **scale-unit** | The scale unit determines the size and number of resources deployed. The higher the scale unit, the greater the amount of traffic that can be handled. | string | "2"
"4"
"10"
"20"
"30"
"60"
"80"
| "2" | + | || | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" + | || | | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" | + | || | | | + | **sic-key** | The Secure Internal Communication one time secret used to set up trust between the gateway object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a | + | || | | | + | **ssh-public-key** | The public ssh key used for ssh connection to the NVA GW instances | string | ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx generated-by-azure; | n/a | | string | gateway;
standalone; | + | || | | | + | **bgp-asn** | The BGP autonomous system number. | string | 64512 | "64512" || + | || | | | + | **custom-metrics** | Indicates whether CloudGuard Metrics will be use for gateway monitoring | string | yes;
no; | "yes" | + | || | | | + | **routing-intent-internet-traffic** | Set routing intent policy to allow internet traffic through the new nva | string | yes;
no;
Please verify routing-intent is configured successfully post-deployment | "yes" | + | || | | | + | **routing-intent-private-traffic** | Set routing intent policy to allow private traffic through the new nva | string | yes;
no;
Please verify routing-intent is configured successfully post-deployment | "yes" | + | || | | | + | **smart1-cloud-token-a** | Smart-1 Cloud token to connect automatically ***NVA instance a*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | || | | | + | **smart1-cloud-token-b** | Smart-1 Cloud token to connect automatically ***NVA instance b*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | || | | | + | **smart1-cloud-token-c** | Smart-1 Cloud token to connect automatically ***NVA instance c*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | || | | | + | **smart1-cloud-token-d** | Smart-1 Cloud token to connect automatically ***NVA instance d*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | || | | | + | **smart1-cloud-token-e** | Smart-1 Cloud token to connect automatically ***NVA instance e*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | | + | | + | **existing-public-ip** | Existing public IP reosurce to attach to the newly deployed NVA | string | A resource ID of the public IP resource | | | | | | | | - | **smart1-cloud-token-e** | Smart-1 Cloud token to connect automatically ***NVA instance e*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | | - | | | | | | - | **existing-public-ip** | Existing public IP reosurce to attach to the newly deployed NVA | string | A resource ID of the public IP resource | n/a | | - | | | | | | - | **new-public-ip** | Deploy a new public IP resource as part of the managed app and attach to the NVA | string | yes;
no;| yes | | + | **new-public-ip** | Deploy a new public IP resource as part of the managed app and attach to the NVA | string | yes;
no;| | | | ## Conditional creation @@ -168,10 +169,10 @@ please see the [CloudGuard Network for Azure Virtual WAN Deployment Guide](https ## Revision History In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) -| Template Version | Description | +| Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------| -| 20240228 | Added public IP for ingress support | | | -| 20231226 | First release of Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure | | | +| 20240228 | Added public IP for ingress support | | | +| 20231226 | First release of Check Point CloudGuard Network Security Virtual WAN Terraform deployment for Azure | | | ## License diff --git a/terraform/azure/nva-into-new-vwan/variables.tf b/terraform/azure/nva-into-new-vwan/variables.tf index f7a2ebec..927592c9 100755 --- a/terraform/azure/nva-into-new-vwan/variables.tf +++ b/terraform/azure/nva-into-new-vwan/variables.tf @@ -39,12 +39,12 @@ variable "location" { variable "vwan-name" { type = string - default = "tf-vwan-demo" + default = "tf-vwan" } variable "vwan-hub-name" { type = string - default = "tf-vwan-hub-demo" + default = "tf-vwan-hub" } variable "vwan-hub-address-prefix" { @@ -58,12 +58,12 @@ variable "vwan-hub-address-prefix" { variable "managed-app-name" { type = string - default = "tf-vwan-managed-app-nva-demo" + default = "tf-vwan-managed-app" } variable "nva-rg-name" { type = string - default = "tf-vwan-managed-app-rg-demo" + default = "tf-vwan-nva-rg" } variable "nva-name" { @@ -74,6 +74,7 @@ variable "nva-name" { variable "os-version" { description = "GAIA OS version" type = string + default = "R8120" validation { condition = contains(["R8110", "R8120"], var.os-version) error_message = "Allowed values for os-version are 'R8110', 'R8120'" diff --git a/terraform/azure/single-gateway-existing-vnet/README.md b/terraform/azure/single-gateway-existing-vnet/README.md index d057b4a6..958077f7 100755 --- a/terraform/azure/single-gateway-existing-vnet/README.md +++ b/terraform/azure/single-gateway-existing-vnet/README.md @@ -68,69 +68,75 @@ This solution uses the following modules: terraform apply ### terraform.tfvars variables: - | Name | Description | Type | Allowed values | - |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | - | **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | - | | | | | | - | **client_id** | The client ID of the Service Principal used to deploy the solution | string | - | | | | | | - | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | - | | | | | | - | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | - | | | | | | - | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | - | | | | | | - | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | - | | | | | | - | **single_gateway_name** | The name of the Check Point single GW Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long | - | | | | | | - | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | - | | | | | | - | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | - | | | | | | - | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | - | | | | | | - | **frontend_subnet_name** | Specifies the name of the external subnet | string | The exact name of the existing external subnet | - | | | | | | - | **backend_subnet_name** | Specifies the name of the internal subnet | string | The exact name of the existing internal subnet | - | | | | | | - | **subnet_frontend_1st_Address** | First available address in frontend subnet | string | - | | | | | | - | **subnet_backend_1st_Address** | First available address in backend subnet | string | - | | | | | | - | **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR | string | - | | | | | | - | **admin_password** | The password associated with the local administrator account on the gateway | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | - | | | | | | - | **smart_1_cloud_token** | Smart-1 Cloud token to connect automatically ***Gateway*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | | - | | | | | | - | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the gateway object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | - | | | | | | - | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | - | | | | | | - | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | - | | | | | | - | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license for R80.40 and above;
"sg-ngtp" - NGTP PAYG license for R80.40 and above;
"sg-ngtx" - NGTX PAYG license for R80.40 and above | - | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | - | | | | | | - | **os_version** | GAIA OS version | string | "R80.40";
"R81";
"R81.10";
"R81.20"; | - | | | | | | - | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | - | | | | | | - | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | - | | | | | | - | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | - | | | | | | - | **enable_custom_metrics** | Indicates whether CloudGuard Metrics will be use for gateways monitoring | boolean | true;
false; | - | | | | | | - | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | - | | | | | | - | **installation_type** | Enables to select installation type- gateway/standalone | string | gateway;
standalone; | + | Name | Description | Type | Allowed values | Default | + |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | ------------- |---------| ------------- | + | **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | n/a + | | | | | | + | **single_gateway_name** | The name of the Check Point single GW Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long | n/a + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a + | | | | | | + | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a + | | | | | | + | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | n/a + | | | | | | + | **frontend_subnet_name** | Specifies the name of the external subnet | string | The exact name of the existing external subnet | n/a + | | | | | | + | **backend_subnet_name** | Specifies the name of the internal subnet | string | The exact name of the existing internal subnet | n/a + | | | | | | + | **subnet_frontend_1st_Address** | First available address in frontend subnet | string | | n/a + | | | | | | + | **subnet_backend_1st_Address** | First available address in backend subnet | string | | n/a + | | | | | | + | **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR | string | | n/a + | | | | | | + | **admin_password** | The password associated with the local administrator account on the gateway | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a + | | | | | | + | **smart_1_cloud_token** | Smart-1 Cloud token to connect automatically ***Gateway*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a | + | | | | | | + | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the gateway object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | n/a + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license | n/a + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a + | | | | | | + | **enable_custom_metrics** | Indicates whether CloudGuard Metrics will be use for gateways monitoring | boolean | true;
false; | true + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" + | | | | | | + | **installation_type** | Enables to select installation type- gateway/standalone | string | gateway;
standalone; | n/a + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID | "" | | | | | | - | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here. | string | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false | | | | | | - | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] ## Conditional creation - To enable CloudGuard metrics in order to send statuses and statistics collected from the gateway instance to the Azure Monitor service: @@ -169,13 +175,18 @@ This solution uses the following modules: admin_shell = "/etc/cli.sh" installation_type = "gateway" serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + nsg_id = "" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] + ## Revision History In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------| +| 20230910 | - R81.20 is the default version | +| | | | | 20230629 | First release of Check Point CloudGuard Network Security Single GW Terraform deployment for Azure | | | | | diff --git a/terraform/azure/single-gateway-existing-vnet/main.tf b/terraform/azure/single-gateway-existing-vnet/main.tf index ae237a2b..5a61f135 100755 --- a/terraform/azure/single-gateway-existing-vnet/main.tf +++ b/terraform/azure/single-gateway-existing-vnet/main.tf @@ -28,6 +28,7 @@ module "common" { authentication_type = var.authentication_type serial_console_password_hash = var.serial_console_password_hash maintenance_mode_password_hash = var.maintenance_mode_password_hash + storage_account_additional_ips = var.storage_account_additional_ips } //********************** Networking **************************// @@ -48,6 +49,7 @@ resource "azurerm_public_ip" "public-ip" { location = module.common.resource_group_location resource_group_name = module.common.resource_group_name allocation_method = var.vnet_allocation_method + sku = var.sku idle_timeout_in_minutes = 30 domain_name_label = join("", [ lower(var.single_gateway_name), @@ -57,6 +59,7 @@ resource "azurerm_public_ip" "public-ip" { module "network-security-group" { source = "../modules/network-security-group" + count = var.nsg_id == "" ? 1 : 0 resource_group_name = module.common.resource_group_name security_group_name = "${module.common.resource_group_name}-nsg" location = module.common.resource_group_location @@ -79,7 +82,7 @@ module "network-security-group" { resource "azurerm_network_interface_security_group_association" "security_group_association" { depends_on = [azurerm_network_interface.nic] network_interface_id = azurerm_network_interface.nic.id - network_security_group_id = module.network-security-group.network_security_group_id + network_security_group_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id } resource "azurerm_network_interface" "nic" { @@ -88,7 +91,9 @@ resource "azurerm_network_interface" "nic" { name = "${var.single_gateway_name}-eth0" location = module.common.resource_group_location resource_group_name = module.common.resource_group_name - enable_ip_forwarding = false + enable_ip_forwarding = true + enable_accelerated_networking = true + ip_configuration { name = "ipconfig1" @@ -104,7 +109,9 @@ resource "azurerm_network_interface" "nic1" { name = "${var.single_gateway_name}-eth1" location = module.common.resource_group_location resource_group_name = module.common.resource_group_name - enable_ip_forwarding = false + enable_ip_forwarding = true + enable_accelerated_networking = true + ip_configuration { name = "ipconfig2" @@ -130,6 +137,16 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { account_tier = module.common.storage_account_tier account_replication_type = module.common.account_replication_type account_kind = "Storage" + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = module.common.storage_account_ip_rules + } + blob_properties { + delete_retention_policy { + days = "15" + } + } + } //********************** Virtual Machines **************************// @@ -237,4 +254,4 @@ resource "azurerm_virtual_machine" "single-gateway-vm-instance" { managed_disk_type = module.common.storage_account_type disk_size_gb = module.common.disk_size } -} \ No newline at end of file +} diff --git a/terraform/azure/single-gateway-existing-vnet/terraform.tfvars b/terraform/azure/single-gateway-existing-vnet/terraform.tfvars index b790e590..0a186633 100755 --- a/terraform/azure/single-gateway-existing-vnet/terraform.tfvars +++ b/terraform/azure/single-gateway-existing-vnet/terraform.tfvars @@ -29,4 +29,7 @@ enable_custom_metrics = "PLEASE ENTER true or false" admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" installation_type = "PLEASE ENTER INSTALLATION TYPE" # "gateway" serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" -maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ No newline at end of file +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +nsg_id = "PLEASE ENTER NETWORK SECURITY GROUP ID" # "" +add_storage_account_ip_rules = "PLEASE ENTER true or false" # false +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] diff --git a/terraform/azure/single-gateway-existing-vnet/variables.tf b/terraform/azure/single-gateway-existing-vnet/variables.tf index 00782ca7..dd4dc15e 100755 --- a/terraform/azure/single-gateway-existing-vnet/variables.tf +++ b/terraform/azure/single-gateway-existing-vnet/variables.tf @@ -69,7 +69,7 @@ variable "template_name" { variable "template_version" { description = "Template version. It is recommended to always use the latest template version" type = string - default = "20230629" + default = "20230910" } variable "installation_type" { @@ -91,7 +91,7 @@ variable "vm_size" { } variable "disk_size" { - description = "Storage data disk size size(GB).Select a number between 100 and 3995" + description = "Storage data disk size size(GB). Select a number between 100 and 3995" type = string } @@ -228,6 +228,23 @@ variable "bootstrap_script" { #"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" } +variable "nsg_id" { + description = "NSG ID - Optional - if empty use default NSG" + default = "" +} + +variable "add_storage_account_ip_rules" { + type = bool + default = false + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] +} + //********************** Credentials **************************// variable "tenant_id" { description = "Tenant ID" @@ -256,3 +273,9 @@ variable "sic_key" { resource "null_resource" "sic_key_invalid" { count = length(var.sic_key) >= 12 ? 0 : "SIC key must be at least 12 characters long" } + +variable "sku" { + description = "SKU" + type = string + default = "Standard" +} \ No newline at end of file diff --git a/terraform/azure/single-gateway-existing-vnet/versions.tf b/terraform/azure/single-gateway-existing-vnet/versions.tf index 0a005a98..0d5ca4f3 100755 --- a/terraform/azure/single-gateway-existing-vnet/versions.tf +++ b/terraform/azure/single-gateway-existing-vnet/versions.tf @@ -3,10 +3,10 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 2.92.0" + version = "~> 3.81.0" } random = { - version = "~> 2.2.1" + version = "~> 3.5.1" } } } \ No newline at end of file diff --git a/terraform/azure/single-gateway-new-vnet/README.md b/terraform/azure/single-gateway-new-vnet/README.md index a9821d54..ae4c0f22 100755 --- a/terraform/azure/single-gateway-new-vnet/README.md +++ b/terraform/azure/single-gateway-new-vnet/README.md @@ -72,66 +72,71 @@ This solution uses the following modules: terraform apply ### terraform.tfvars variables: - | Name | Description | Type | Allowed values | - |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | - | **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | - | | | | | | - | **client_id** | The client ID of the Service Principal used to deploy the solution | string | - | | | | | | - | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | - | | | | | | - | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | - | | | | | | - | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | - | | | | | | - | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | - | | | | | | - | **single_gateway_name** | The name of the Check Point single GW Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long | - | | | | | | - | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | - | | | | | | - | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | - | | | | | | - | **address_space** | The address prefixes of the virtual network | string | Valid CIDR block | - | | | | | | - | **frontend_subnet_prefix** | The address prefix to be used for created frontend subnet | string | The subnets need to contain within the address space for this virtual network(defined by address_space variable) | - | | | | | | - | **backend_subnet_prefix** | The address prefix to be used for created backend subnet | string | The subnets need to contain within the address space for this virtual network(defined by address_space variable) | - | | | | | | - | **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR | string | - | | | | | | - | **admin_password** | The password associated with the local administrator account on the gateway | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | - | | | | | | - | **smart_1_cloud_token** | Smart-1 Cloud token to connect automatically ***Gateway*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | | - | | | | | | - | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the gateway object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | - | | | | | | - | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | - | | | | | | - | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | - | | | | | | - | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license for R80.40 and above;
"sg-ngtp" - NGTP PAYG license for R80.40 and above;
"sg-ngtx" - NGTX PAYG license for R80.40 and above | - | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | - | | | | | | - | **os_version** | GAIA OS version | string | "R80.40";
"R81";
"R81.10";
"R81.20"; | - | | | | | | - | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | - | | | | | | - | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | - | | | | | | - | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | - | | | | | | - | **enable_custom_metrics** | Indicates whether CloudGuard Metrics will be use for gateway monitoring | boolean | true;
false; | - | | | | | | - | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | - | | | | | | - | **installation_type** | Enables to select installation type- gateway/standalone | string | gateway;
standalone; | | string | gateway;
standalone; | + | Name | Description | Type | Allowed values | Default | + |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | ------------- |----------------| ------------- | + | **client_secret** | The client secret value of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | n/a + | | | | | | + | **single_gateway_name** | The name of the Check Point single GW Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long | n/a + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a + | | | | | | + | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a + | | | | | | + | **address_space** | The address prefixes of the virtual network | string | Valid CIDR block | "10.12.0.0/16" + | | | | | | + | **frontend_subnet_prefix** | The address prefix to be used for created frontend subnet | string | The subnets need to contain within the address space for this virtual network(defined by address_space variable) | "10.12.0.0/24" + | | | | | | + | **backend_subnet_prefix** | The address prefix to be used for created backend subnet | string | The subnets need to contain within the address space for this virtual network(defined by address_space variable) | "10.12.1.0/24" + | | | | | | + | **management_GUI_client_network** | Allowed GUI clients - GUI clients network CIDR | string | | n/a + | | | | | | + | **admin_password** | The password associated with the local administrator account on the gateway | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a + | | | | | | + | **smart_1_cloud_token** | Smart-1 Cloud token to connect automatically ***Gateway*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal | n/a + | | | | | | + | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the gateway object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | n/a + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license | n/a + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a | + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | "" + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a + | | | | | | + | **enable_custom_metrics** | Indicates whether CloudGuard Metrics will be use for gateway monitoring | boolean | true;
false; | true + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" + | | | | | | + | **installation_type** | Enables to select installation type- gateway/standalone | string | gateway;
standalone; | n/a | string | gateway;
standalone; | + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if isn't provided will create a default NSG | string | Existing NSG resource ID | "" | | | | | | - | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here. | string | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false | | | | | | - | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | - + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] ## Conditional creation - To enable CloudGuard metrics in order to send statuses and statistics collected from the gateway instance to the Azure Monitor service: @@ -168,13 +173,18 @@ This solution uses the following modules: admin_shell = "/etc/cli.sh" installation_type = "gateway" serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + nsg_id = "" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] + ## Revision History In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) | Template Version | Description | |------------------|---------------------------------------------------------------------------------------------------| +| 20230910 | - R81.20 is the default version | +| | | | | 20230629 | First release of Check Point CloudGuard Network Security Single GW Terraform deployment for Azure | | | | | diff --git a/terraform/azure/single-gateway-new-vnet/main.tf b/terraform/azure/single-gateway-new-vnet/main.tf index 7e2bb8a1..b4642666 100755 --- a/terraform/azure/single-gateway-new-vnet/main.tf +++ b/terraform/azure/single-gateway-new-vnet/main.tf @@ -28,6 +28,7 @@ module "common" { authentication_type = var.authentication_type serial_console_password_hash = var.serial_console_password_hash maintenance_mode_password_hash = var.maintenance_mode_password_hash + storage_account_additional_ips = var.storage_account_additional_ips } //********************** Networking **************************// @@ -40,11 +41,12 @@ module "vnet" { address_space = var.address_space subnet_prefixes = [var.frontend_subnet_prefix, var.backend_subnet_prefix] subnet_names = ["${var.single_gateway_name}-frontend-subnet", "${var.single_gateway_name}-backend-subnet"] - nsg_id = module.network-security-group.network_security_group_id + nsg_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id } module "network-security-group" { source = "../modules/network-security-group" + count = var.nsg_id == "" ? 1 : 0 resource_group_name = module.common.resource_group_name security_group_name = "${module.common.resource_group_name}-nsg" location = module.common.resource_group_location @@ -69,6 +71,7 @@ resource "azurerm_public_ip" "public-ip" { location = module.common.resource_group_location resource_group_name = module.common.resource_group_name allocation_method = var.vnet_allocation_method + sku = var.sku idle_timeout_in_minutes = 30 domain_name_label = join("", [ lower(var.single_gateway_name), @@ -77,9 +80,9 @@ resource "azurerm_public_ip" "public-ip" { } resource "azurerm_network_interface_security_group_association" "security_group_association" { - depends_on = [azurerm_network_interface.nic, module.network-security-group.network_security_group_id] + depends_on = [azurerm_network_interface.nic, module.network-security-group] network_interface_id = azurerm_network_interface.nic.id - network_security_group_id = module.network-security-group.network_security_group_id + network_security_group_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id } resource "azurerm_network_interface" "nic" { @@ -88,7 +91,9 @@ resource "azurerm_network_interface" "nic" { name = "${var.single_gateway_name}-eth0" location = module.common.resource_group_location resource_group_name = module.common.resource_group_name - enable_ip_forwarding = false + enable_ip_forwarding = true + enable_accelerated_networking = true + ip_configuration { name = "ipconfig1" @@ -104,7 +109,9 @@ resource "azurerm_network_interface" "nic1" { name = "${var.single_gateway_name}-eth1" location = module.common.resource_group_location resource_group_name = module.common.resource_group_name - enable_ip_forwarding = false + enable_ip_forwarding = true + enable_accelerated_networking = true + ip_configuration { name = "ipconfig2" @@ -130,6 +137,16 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { account_tier = module.common.storage_account_tier account_replication_type = module.common.account_replication_type account_kind = "Storage" + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = module.common.storage_account_ip_rules + } + blob_properties { + delete_retention_policy { + days = "15" + } + } + } //********************** Virtual Machines **************************// @@ -236,4 +253,4 @@ resource "azurerm_virtual_machine" "single-gateway-vm-instance" { managed_disk_type = module.common.storage_account_type disk_size_gb = module.common.disk_size } -} \ No newline at end of file +} diff --git a/terraform/azure/single-gateway-new-vnet/terraform.tfvars b/terraform/azure/single-gateway-new-vnet/terraform.tfvars index 1eaa4e3f..636e9491 100755 --- a/terraform/azure/single-gateway-new-vnet/terraform.tfvars +++ b/terraform/azure/single-gateway-new-vnet/terraform.tfvars @@ -27,4 +27,7 @@ enable_custom_metrics = "PLEASE ENTER true or false" admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" installation_type = "PLEASE ENTER INSTALLATION TYPE" # "gateway" serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" -maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ No newline at end of file +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +nsg_id = "PLEASE ENTER NETWORK SECURITY GROUP ID" # "" +add_storage_account_ip_rules = "PLEASE ENTER true or false" # false +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] \ No newline at end of file diff --git a/terraform/azure/single-gateway-new-vnet/variables.tf b/terraform/azure/single-gateway-new-vnet/variables.tf index 9edcd860..65076afc 100755 --- a/terraform/azure/single-gateway-new-vnet/variables.tf +++ b/terraform/azure/single-gateway-new-vnet/variables.tf @@ -31,6 +31,11 @@ variable "admin_password" { type = string } +variable "smart_1_cloud_token" { + description = "Smart-1 Cloud Token" + type = string +} + variable "serial_console_password_hash" { description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" type = string @@ -41,11 +46,6 @@ variable "maintenance_mode_password_hash" { type = string } -variable "smart_1_cloud_token" { - description = "Smart-1 Cloud Token" - type = string -} - variable "authentication_type" { description = "Specifies whether a password authentication or SSH Public Key authentication should be used" type = string @@ -68,7 +68,7 @@ variable "template_name" { variable "template_version" { description = "Template version. It is recommended to always use the latest template version" type = string - default = "20230629" + default = "20230910" } variable "installation_type" { @@ -90,7 +90,7 @@ variable "vm_size" { } variable "disk_size" { - description = "Storage data disk size size(GB).Select a number between 100 and 3995" + description = "Storage data disk size size(GB). Select a number between 100 and 3995" type = string } @@ -205,7 +205,22 @@ variable "management_GUI_client_network" { type = string } +variable "nsg_id" { + description = "NSG ID - Optional - if empty use default NSG" + default = "" +} + +variable "add_storage_account_ip_rules" { + type = bool + default = false + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" +} +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] +} locals { regex_valid_management_GUI_client_network = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(/(3[0-2]|2[0-9]|1[0-9]|[0-9]))$" // Will fail if var.management_GUI_client_network is invalid @@ -256,4 +271,10 @@ variable "sic_key" { resource "null_resource" "sic_key_invalid" { count = length(var.sic_key) >= 12 ? 0 : "SIC key must be at least 12 characters long" +} + +variable "sku" { + description = "SKU" + type = string + default = "Standard" } \ No newline at end of file diff --git a/terraform/azure/single-gateway-new-vnet/versions.tf b/terraform/azure/single-gateway-new-vnet/versions.tf index 0a005a98..0d5ca4f3 100755 --- a/terraform/azure/single-gateway-new-vnet/versions.tf +++ b/terraform/azure/single-gateway-new-vnet/versions.tf @@ -3,10 +3,10 @@ terraform { required_providers { azurerm = { source = "hashicorp/azurerm" - version = "~> 2.92.0" + version = "~> 3.81.0" } random = { - version = "~> 2.2.1" + version = "~> 3.5.1" } } } \ No newline at end of file diff --git a/terraform/azure/vmss-existing-vnet/README.md b/terraform/azure/vmss-existing-vnet/README.md index b35d8a34..c12dd809 100755 --- a/terraform/azure/vmss-existing-vnet/README.md +++ b/terraform/azure/vmss-existing-vnet/README.md @@ -7,7 +7,7 @@ As part of the deployment the following resources are created: For additional information, -please see the [CloudGuard Network for Azure Virtual Machine Scale Sets (VMSS) Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/Default.htm) +please see the [CloudGuard Network for Azure Virtual Machine Scale Sets (VMSS) Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_VMSS_for_Azure/Default.htm) This solution uses the following modules: - /terraform/azure/modules/common - used for creating a resource group and defining common variables. @@ -71,85 +71,89 @@ This solution uses the following modules: terraform apply ### terraform.tfvars variables: - | Name | Description | Type | Allowed values | - | ------------- | ------------- |------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | - | **client_secret** | passwordThe client secret of the Service Principal used to deploy the solution | string | - | | | | | | - | **client_id** | The client ID of the Service Principal used to deploy the solution | string | - | | | | | | - | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | - | | | | | | - | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | - | | | | | | - | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images. | string | - | | | | | | - | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | - | | | | | | - | **location** | The region where the resources will be deployed at. | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | - | | | | | | - | **vmss_name** | The name of the Check Point VMSS Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long | - | | | | | | - | **vnet_name** | Virtual Network name | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | - | | | | | | - | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | - | | | | | | - | **frontend_subnet_name** | Specifies the name of the external subnet | string | The exact name of the existing external subnet | - | | | | | | - | **backend_subnet_name** | Specifies the name of the internal subnet | string | The exact name of the existing internal subnet | - | | | | | | - | **backend_lb_IP_address** | Is a whole number that can be represented as a binary integer with no more than the number of digits remaining in the address after the given prefix| string | Starting from 5-th IP address in a subnet. For example: subnet - 10.0.1.0/24, backend_lb_IP_address = 4 , the LB IP is 10.0.1.4 | - | | | | | | - | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | - | | | | | | - | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | - | | | | | | - | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | - | | | | | | - | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | - | | | | | | - | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license for R80.40 and above;
"sg-ngtp" - NGTP PAYG license for R80.40 and above;
"sg-ngtx" - NGTX PAYG license for R80.40 and above; | - | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | - | | | | | | - | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | - | | | | | | - | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | - | | | | | | - | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | - | | | | | | - | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | - | | | | | | - | **availability_zones_num** | A list of a single item of the Availability Zone which the Virtual Machine should be allocated in | string | "centralus", "eastus2", "francecentral", "northeurope", "southeastasia", "westeurope", "westus2", "eastus", "uksouth" | - | | | | | | - | **minimum_number_of_vm_instances** | The minimum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | - | | | | | | - | **maximum_number_of_vm_instances** | The maximum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | - | | | | | | - | **management_name** | The name of the management server as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | - | | | | | | - | **management_IP** | The IP address used to manage the VMSS instances | string | A valid IP address | - | | | | | | - | **management_interface** | Management option for the Gateways in the VMSS | string | "eth0-public" - Manages the GWs using their external NIC's public IP address;
"eth0-private" -Manages the GWs using their external NIC's private IP address;
"eth1-private" - Manages the GWs using their internal NIC's private IP address | - | | | | | | - | **configuration_template_name** | The configuration template name as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | - | | | | | | - | **frontend_load_distribution** | The load balancing distribution method for the External Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | - | | | | | | - | **backend_load_distribution** | The load balancing distribution method for the Internal Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | - | | | | | | - | **notification_email** | An email address to notify about scaling operations | string | Leave empty double quotes or enter a valid email address | - | | | | | | - | **enable_custom_metrics** | Indicates whether Custom Metrics will be used for VMSS Scaling policy and VM monitoring | boolean | true;
false; | - | | | | | | - | **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP. | boolean | true;
false; | - | | | | | | - | **deployment_mode** | Indicates which load balancer need to be deployed. External + Internal, only External, only Internal. | string | Standard (Default);
External;
Internal; | - | | | | | | - | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | - | | | | | | - | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here. | string | - | | | | | | - | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | + | Name | Description | Type | Allowed values | Default | + | ------------- | ------------- | ------------- | ------------- | ------------- | + | **client_secret** | The client secret of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period
Note: Resource group name must not contain reserved words based on: sk40179| n/a + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a + | | | | | | + | **vmss_name** | The name of the Check Point VMSS Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long
Note: vmss_name name must not contain reserved words based on: sk40179 | n/a + | | | | | | + | **vnet_name** | Virtual Network name | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a + | | | | | | + | **vnet_resource_group** | Resource Group of the existing virtual network | string | The exact name of the existing vnet's resource group | n/a + | | | | | | + | **frontend_subnet_name** | Specifies the name of the external subnet | string | The exact name of the existing external subnet | n/a + | | | | | | + | **backend_subnet_name** | Specifies the name of the internal subnet | string | The exact name of the existing internal subnet | n/a + | | | | | | + | **backend_lb_IP_address** | Is a whole number that can be represented as a binary integer with no more than the number of digits remaining in the address after the given prefix| string | Starting from 5-th IP address in a subnet. For example: subnet - 10.0.1.0/24, backend_lb_IP_address = 4 , the LB IP is 10.0.1.4 | n/a + | | | | | | + | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a + | | | | | | + | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) must be 100 for versions R81.20 and below | string | A number in the range 100 - 3995 (GB) | 100 + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license; | n/a + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | n/a + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a + | | | | | | + | **availability_zones_num** | A list of a single item of the Availability Zone which the Virtual Machine should be allocated in | string | "centralus", "eastus2", "francecentral", "northeurope", "southeastasia", "westeurope", "westus2", "eastus", "uksouth" | n/a + | | | | | | + | **minimum_number_of_vm_instances** | The minimum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | n/a + | | | | | | + | **maximum_number_of_vm_instances** | The maximum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | n/a + | | | | | | + | **management_name** | The name of the management server as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | n/a + | | | | | | + | **management_IP** | The IP address used to manage the VMSS instances | string | A valid IP address | n/a + | | | | | | + | **management_interface** | Management option for the Gateways in the VMSS | string | "eth0-public" - Manages the GWs using their external NIC's public IP address;
"eth0-private" -Manages the GWs using their external NIC's private IP address;
"eth1-private" - Manages the GWs using their internal NIC's private IP address | "eth1-private" + | | | | | | + | **configuration_template_name** | The configuration template name as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | n/a + | | | | | | + | **frontend_load_distribution** | The load balancing distribution method for the External Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | n/a + | | | | | | + | **backend_load_distribution** | The load balancing distribution method for the Internal Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | n/a + | | | | | | + | **notification_email** | An email address to notify about scaling operations | string | Leave empty double quotes or enter a valid email address | n/a + | | | | | | + | **enable_custom_metrics** | Indicates whether Custom Metrics will be used for VMSS Scaling policy and VM monitoring | boolean | true;
false; | true + | | | | | | + | **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP | boolean | true;
false; | false + | | | | | | + | **deployment_mode** | Indicates which load balancer need to be deployed. External + Internal(Standard), only External, only Internal | string | Standard ;
External;
Internal; | "Standard" + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false + | | | | | | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] ## Conditional creation To create role assignment and enable CloudGuard metrics in order to send statuses and statistics collected from VMSS instances to the Azure Monitor service: @@ -174,7 +178,7 @@ enable_custom_metrics = true admin_password = "xxxxxxxxxxxx" sic_key = "xxxxxxxxxxxx" vm_size = "Standard_D3_v2" - disk_size = "110" + disk_size = "100" vm_os_sku = "sg-byol" vm_os_offer = "check-point-cg-r8110" os_version = "R8110" @@ -197,8 +201,10 @@ enable_custom_metrics = true admin_shell = "/etc/cli.sh" serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - - + add_storage_account_ip_rules = false + storage_account_additional_ips = [] + + ## Deploy Without Public IP 1. By default, the VMSS is deployed with public IP @@ -206,6 +212,8 @@ enable_custom_metrics = true ## Known limitations +1. Deploy the VMSS with External load balancer only (Inbound inspection only) is not supported +2. Deploy the VMSS with Internal load balancer only (Outbound and E-W inspection only) is not supported ## Revision History @@ -213,9 +221,11 @@ In order to check the template version refer to the [sk116585](https://supportce | Template Version | Description | | ---------------- | ------------- | +| 20230910 | - R81.20 is the default version | +| | | | | 20221124 | - Added R81.20 support
- Upgraded azurerm provider | | | | | -| 20220111 | - Added support to select different shells. | +| 20220111 | - Added support to select different shells | | | | | | 20210309 | - Add "source_image_vhd_uri" variable for using a custom development image
- Fix zones filed for scale set be installed as multi-zone
- Modify "management_interface" variable and tags regarding managing the Gateways in the Scale Set | | | | | @@ -225,7 +235,7 @@ In order to check the template version refer to the [sk116585](https://supportce | | | | | 20200305 | First release of Check Point CloudGuard IaaS VMSS Terraform deployment for Azure | | | | | -| | Addition of "templateType" parameter to "cloud-version" files. | +| | Addition of "templateType" parameter to "cloud-version" files | | | | | diff --git a/terraform/azure/vmss-existing-vnet/main.tf b/terraform/azure/vmss-existing-vnet/main.tf index a7c29cae..7cc4399a 100755 --- a/terraform/azure/vmss-existing-vnet/main.tf +++ b/terraform/azure/vmss-existing-vnet/main.tf @@ -1,16 +1,3 @@ -terraform { - required_version = ">= 0.14.3" - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "~> 2.92.0" - } - random = { - version = "~> 2.2.1" - } - } -} - provider "azurerm" { subscription_id = var.subscription_id client_id = var.client_id @@ -40,6 +27,7 @@ module "common" { authentication_type = var.authentication_type serial_console_password_hash = var.serial_console_password_hash maintenance_mode_password_hash = var.maintenance_mode_password_hash + storage_account_additional_ips = var.storage_account_additional_ips } //********************** Networking **************************// @@ -56,6 +44,28 @@ data "azurerm_subnet" "backend" { resource_group_name = var.vnet_resource_group } +module "network-security-group" { + source = "../modules/network-security-group" + count = var.nsg_id == "" ? 1 : 0 + resource_group_name = module.common.resource_group_name + security_group_name = "${module.common.resource_group_name}_nsg" + location = module.common.resource_group_location + security_rules = [ + { + name = "AllowAllInBound" + priority = "100" + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_ranges = "*" + destination_port_ranges = "*" + description = "Allow all inbound connections" + source_address_prefix = "*" + destination_address_prefix = "*" + } + ] +} + //********************** Load Balancers **************************// resource "random_id" "random_id" { byte_length = 13 @@ -76,11 +86,12 @@ resource "azurerm_public_ip" "public-ip-lb" { resource "azurerm_lb" "frontend-lb" { count = var.deployment_mode != "Internal" ? 1 : 0 + depends_on = [azurerm_public_ip.public-ip-lb] name = "frontend-lb" location = module.common.resource_group_location resource_group_name = module.common.resource_group_name sku = var.sku - + frontend_ip_configuration { name = "${var.vmss_name}-app-1" public_ip_address_id = azurerm_public_ip.public-ip-lb[0].id @@ -89,7 +100,6 @@ resource "azurerm_lb" "frontend-lb" { resource "azurerm_lb_backend_address_pool" "frontend-lb-pool" { count = var.deployment_mode != "Internal" ? 1 : 0 - resource_group_name = module.common.resource_group_name loadbalancer_id = azurerm_lb.frontend-lb[0].id name = "${var.vmss_name}-app-1" } @@ -104,7 +114,7 @@ resource "azurerm_lb" "backend-lb" { name = "backend-lb" subnet_id = data.azurerm_subnet.backend.id private_ip_address_allocation = "Static" - private_ip_address = cidrhost(data.azurerm_subnet.backend.address_prefix,var.backend_lb_IP_address) + private_ip_address = cidrhost(data.azurerm_subnet.backend.address_prefixes[0],var.backend_lb_IP_address) } } @@ -112,13 +122,11 @@ resource "azurerm_lb_backend_address_pool" "backend-lb-pool" { count = var.deployment_mode != "External" ? 1 : 0 name = "backend-lb-pool" loadbalancer_id = azurerm_lb.backend-lb[0].id - resource_group_name = module.common.resource_group_name } resource "azurerm_lb_probe" "azure_lb_healprob" { count = var.deployment_mode == "Standard" ? 2 : 1 - depends_on = [azurerm_lb.frontend-lb, azurerm_lb.frontend-lb] - resource_group_name = module.common.resource_group_name + depends_on = [azurerm_lb.frontend-lb, azurerm_lb.backend-lb] loadbalancer_id = var.deployment_mode == "Standard" ? (count.index == 0 ? azurerm_lb.frontend-lb[0].id : azurerm_lb.backend-lb[0].id) : (var.deployment_mode == "External" ? azurerm_lb.frontend-lb[0].id : azurerm_lb.backend-lb[0].id) name = var.deployment_mode == "Standard" ? (count.index == 0 ? "${var.vmss_name}-app-1" : "backend-lb") : (var.deployment_mode == "External" ? "${var.vmss_name}-app-1" : "backend-lb") protocol = var.lb_probe_protocol @@ -131,13 +139,12 @@ resource "azurerm_lb_probe" "azure_lb_healprob" { resource "azurerm_lb_rule" "lbnatrule-standard" { count = var.deployment_mode == "Standard" ? 2 : 0 depends_on = [azurerm_lb.frontend-lb[0],azurerm_lb_probe.azure_lb_healprob,azurerm_lb.backend-lb[0]] - resource_group_name = module.common.resource_group_name loadbalancer_id = count.index == 0 ? azurerm_lb.frontend-lb[0].id : azurerm_lb.backend-lb[0].id name = count.index == 0 ? "${var.vmss_name}-app-1" : "backend-lb" protocol = count.index == 0 ? "Tcp" : "All" frontend_port = count.index == 0 ? var.frontend_port : "0" backend_port = count.index == 0 ? var.backend_port : "0" - backend_address_pool_id = count.index == 0 ? azurerm_lb_backend_address_pool.frontend-lb-pool[0].id : azurerm_lb_backend_address_pool.backend-lb-pool[0].id + backend_address_pool_ids = count.index == 0 ? [azurerm_lb_backend_address_pool.frontend-lb-pool[0].id] : [azurerm_lb_backend_address_pool.backend-lb-pool[0].id] frontend_ip_configuration_name = count.index == 0 ? azurerm_lb.frontend-lb[0].frontend_ip_configuration[0].name : azurerm_lb.backend-lb[0].frontend_ip_configuration[0].name probe_id = azurerm_lb_probe.azure_lb_healprob[count.index].id load_distribution = count.index == 0 ? var.frontend_load_distribution : var.backend_load_distribution @@ -148,13 +155,12 @@ resource "azurerm_lb_rule" "lbnatrule-standard" { resource "azurerm_lb_rule" "lbnatrule-external" { count = var.deployment_mode == "External" ? 1 : 0 depends_on = [azurerm_lb.frontend-lb[0],azurerm_lb_probe.azure_lb_healprob] - resource_group_name = module.common.resource_group_name loadbalancer_id = azurerm_lb.frontend-lb[0].id name = "${var.vmss_name}-app-1" protocol = "Tcp" frontend_port = var.frontend_port backend_port = var.backend_port - backend_address_pool_id = azurerm_lb_backend_address_pool.frontend-lb-pool[0].id + backend_address_pool_ids = [azurerm_lb_backend_address_pool.frontend-lb-pool[0].id] frontend_ip_configuration_name = azurerm_lb.frontend-lb[0].frontend_ip_configuration[0].name probe_id = azurerm_lb_probe.azure_lb_healprob[0].id load_distribution = var.frontend_load_distribution @@ -165,13 +171,12 @@ resource "azurerm_lb_rule" "lbnatrule-external" { resource "azurerm_lb_rule" "lbnatrule-internal" { count = var.deployment_mode == "Internal" ? 1 : 0 depends_on = [azurerm_lb_probe.azure_lb_healprob,azurerm_lb.backend-lb[0]] - resource_group_name = module.common.resource_group_name loadbalancer_id = azurerm_lb.backend-lb[0].id name = "backend-lb" protocol = "All" frontend_port = "0" backend_port = "0" - backend_address_pool_id = azurerm_lb_backend_address_pool.backend-lb-pool[0].id + backend_address_pool_ids = [azurerm_lb_backend_address_pool.backend-lb-pool[0].id] frontend_ip_configuration_name = azurerm_lb.backend-lb[0].frontend_ip_configuration[0].name probe_id = azurerm_lb_probe.azure_lb_healprob[0].id load_distribution = var.backend_load_distribution @@ -188,14 +193,23 @@ resource "random_id" "randomId" { byte_length = 8 } resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { - name = "diag${random_id.randomId.hex}" - resource_group_name = module.common.resource_group_name - location = module.common.resource_group_location - account_tier = module.common.storage_account_tier - account_replication_type = module.common.account_replication_type - + name = "diag${random_id.randomId.hex}" + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + account_tier = module.common.storage_account_tier + account_replication_type = module.common.account_replication_type + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = module.common.storage_account_ip_rules + } + blob_properties { + delete_retention_policy { + days = "15" + } + } } + //********************** Virtual Machines **************************// locals { SSH_authentication_type_condition = var.authentication_type == "SSH Public Key" ? true : false @@ -218,38 +232,41 @@ resource "azurerm_image" "custom-image" { } } -resource "azurerm_virtual_machine_scale_set" "vmss" { +resource "azurerm_linux_virtual_machine_scale_set" "vmss" { name = var.vmss_name location = module.common.resource_group_location resource_group_name = module.common.resource_group_name + sku = module.common.vm_size zones = local.availability_zones_num_condition + instances = var.number_of_vm_instances overprovision = false dynamic "identity" { - for_each = var.enable_custom_metrics ? [ - 1] : [] + for_each = var.enable_custom_metrics ? [1] : [] content { type = "SystemAssigned" } } - storage_profile_image_reference { - id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null - publisher = local.custom_image_condition ? null : module.common.publisher - offer = module.common.vm_os_offer - sku = module.common.vm_os_sku - version = module.common.vm_os_version + dynamic "source_image_reference" { + for_each = local.custom_image_condition ? [] : [1] + content { + publisher = module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } } + source_image_id = local.custom_image_condition? azurerm_image.custom-image[0].id : null - storage_profile_os_disk { - create_option = module.common.storage_os_disk_create_option + os_disk { + disk_size_gb = module.common.disk_size caching = module.common.storage_os_disk_caching - managed_disk_type = module.common.storage_account_type + storage_account_type = module.common.storage_account_type } dynamic "plan" { - for_each = local.custom_image_condition ? [ - ] : [1] + for_each = local.custom_image_condition ? [] : [1] content { name = module.common.vm_os_sku publisher = module.common.publisher @@ -257,72 +274,70 @@ resource "azurerm_virtual_machine_scale_set" "vmss" { } } - os_profile { - computer_name_prefix = var.vmss_name - admin_username = module.common.admin_username - admin_password = module.common.admin_password - custom_data = templatefile("${path.module}/cloud-init.sh",{ - installation_type=module.common.installation_type - allow_upload_download= module.common.allow_upload_download - os_version=module.common.os_version - template_name=module.common.template_name - template_version=module.common.template_version - template_type = "terraform" - is_blink=module.common.is_blink - bootstrap_script64=base64encode(var.bootstrap_script) - location=module.common.resource_group_location - sic_key=var.sic_key - vnet=data.azurerm_subnet.frontend.address_prefix - enable_custom_metrics=var.enable_custom_metrics ? "yes" : "no" - admin_shell = var.admin_shell - serial_console_password_hash = var.serial_console_password_hash - maintenance_mode_password_hash = var.maintenance_mode_password_hash - }) - } + computer_name_prefix = var.vmss_name + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = base64encode(templatefile("${path.module}/cloud-init.sh", { + installation_type = module.common.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + template_name = module.common.template_name + template_version = module.common.template_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + sic_key = var.sic_key + vnet = data.azurerm_subnet.frontend.address_prefixes[0] + enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" + admin_shell = var.admin_shell + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + })) + - os_profile_linux_config { disable_password_authentication = local.SSH_authentication_type_condition - dynamic "ssh_keys" { + dynamic "admin_ssh_key" { for_each = local.SSH_authentication_type_condition ? [ 1] : [] content { - path = "/home/notused/.ssh/authorized_keys" - key_data = file("${path.module}/azure_public_key") + public_key = file("azure_public_key") + username = "notused" } } - } + boot_diagnostics { - enabled = module.common.boot_diagnostics - storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" + storage_account_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" } - upgrade_policy_mode = "Manual" + upgrade_mode = "Manual" - network_profile { + network_interface { name = "eth0" primary = true - ip_forwarding = false - accelerated_networking = true + enable_ip_forwarding = true + enable_accelerated_networking = true + network_security_group_id = module.network-security-group[0].network_security_group_id ip_configuration { name = "ipconfig1" subnet_id = data.azurerm_subnet.frontend.id load_balancer_backend_address_pool_ids = var.deployment_mode != "Internal" ? [azurerm_lb_backend_address_pool.frontend-lb-pool[0].id]: null primary = true - public_ip_address_configuration { + public_ip_address { name = "${var.vmss_name}-public-ip" - idle_timeout = 15 + idle_timeout_in_minutes = 15 domain_name_label = "${lower(var.vmss_name)}-dns-name" } } } - network_profile { + network_interface { name = "eth1" primary = false - ip_forwarding = true - accelerated_networking = true + enable_ip_forwarding = true + enable_accelerated_networking = true ip_configuration { name = "ipconfig2" subnet_id = data.azurerm_subnet.backend.id @@ -330,11 +345,6 @@ resource "azurerm_virtual_machine_scale_set" "vmss" { primary = true } } - sku { - capacity = var.number_of_vm_instances - name = module.common.vm_size - tier = "Standard" - } tags = var.management_interface == "eth0"?{ x-chkp-management = var.management_name, @@ -357,11 +367,11 @@ resource "azurerm_virtual_machine_scale_set" "vmss" { } resource "azurerm_monitor_autoscale_setting" "vmss_settings" { - depends_on = [azurerm_virtual_machine_scale_set.vmss] + depends_on = [azurerm_linux_virtual_machine_scale_set.vmss] name = var.vmss_name resource_group_name = module.common.resource_group_name location = module.common.resource_group_location - target_resource_id = azurerm_virtual_machine_scale_set.vmss.id + target_resource_id = azurerm_linux_virtual_machine_scale_set.vmss.id profile { name = "Profile1" @@ -375,7 +385,7 @@ resource "azurerm_monitor_autoscale_setting" "vmss_settings" { rule { metric_trigger { metric_name = "Percentage CPU" - metric_resource_id = azurerm_virtual_machine_scale_set.vmss.id + metric_resource_id = azurerm_linux_virtual_machine_scale_set.vmss.id time_grain = "PT1M" statistic = "Average" time_window = "PT5M" @@ -395,7 +405,7 @@ resource "azurerm_monitor_autoscale_setting" "vmss_settings" { rule { metric_trigger { metric_name = "Percentage CPU" - metric_resource_id = azurerm_virtual_machine_scale_set.vmss.id + metric_resource_id = azurerm_linux_virtual_machine_scale_set.vmss.id time_grain = "PT1M" statistic = "Average" time_window = "PT5M" @@ -423,14 +433,14 @@ resource "azurerm_monitor_autoscale_setting" "vmss_settings" { } resource "azurerm_role_assignment" "custom_metrics_role_assignment"{ - depends_on = [azurerm_virtual_machine_scale_set.vmss] + depends_on = [azurerm_linux_virtual_machine_scale_set.vmss] count = var.enable_custom_metrics ? 1 : 0 role_definition_id = join("", ["/subscriptions/", var.subscription_id, "/providers/Microsoft.Authorization/roleDefinitions/", "3913510d-42f4-4e42-8a64-420c390055eb"]) - principal_id = lookup(azurerm_virtual_machine_scale_set.vmss.identity[0], "principal_id") + principal_id = lookup(azurerm_linux_virtual_machine_scale_set.vmss.identity[0], "principal_id") scope = module.common.resource_group_id lifecycle { ignore_changes = [ role_definition_id, principal_id ] } -} \ No newline at end of file +} diff --git a/terraform/azure/vmss-existing-vnet/terraform.tfvars b/terraform/azure/vmss-existing-vnet/terraform.tfvars index 78ee10b9..399ffeef 100755 --- a/terraform/azure/vmss-existing-vnet/terraform.tfvars +++ b/terraform/azure/vmss-existing-vnet/terraform.tfvars @@ -1,40 +1,42 @@ #PLEASE refer to the README.md for accepted values FOR THE VARIABLES BELOW -client_secret = "PLEASE ENTER CLIENT SECRET" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" -client_id = "PLEASE ENTER CLIENT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" -tenant_id = "PLEASE ENTER TENANT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" -subscription_id = "PLEASE ENTER SUBSCRIPTION ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" -source_image_vhd_uri = "PLEASE ENTER SOURCE IMAGE VHD URI OR noCustomUri" # "noCustomUri" -resource_group_name = "PLEASE ENTER RESOURCE GROUP NAME" # "checkpoint-vmss-terraform" -vmss_name = "PLEASE ENTER SCALE SET NAME" # "checkpoint-vmss-terraform" -location = "PLEASE ENTER LOCATION" # "eastus" -vnet_name = "PLEASE ENTER VIRTUAL NETWORK NAME" # "checkpoint-vmss-vnet" -vnet_resource_group = "PLEASE ENTER VIRTUAL NETWORK'S RESOURCE GROUP NAME" # "existing-vnet" -frontend_subnet_name = "PLEASE ENTER EXTERNAL SUBNET NAME" # "frontend" -backend_subnet_name = "PLEASE ENTER INTERNAL SUBNET NAME" # "backend" -backend_lb_IP_address = "PLEASE ENTER BACKEND LB IP ADDRESS POSITIONAL NUMBER" # 4 -admin_password = "PLEASE ENTER ADMIN PASSWORD" # "xxxxxxxxxxxx" -sic_key = "PLEASE ENTER SIC KEY" # "xxxxxxxxxxxx" -vm_size = "PLEASE ENTER VM SIZE" # "Standard_D3_v2" -disk_size = "PLEASE ENTER DISK SIZE" # "110" -vm_os_sku = "PLEASE ENTER VM SKU" # "sg-byol" -vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" -os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" -bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" -allow_upload_download = "PLEASE ENTER true or false" # true -authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" -availability_zones_num = "PLEASE ENTER NUMBER OF AVAILABILITY ZONES" # "1" -minimum_number_of_vm_instances = "PLEASE ENTER MINIMUM NUMBER OF VM INSTANCES" # 2 -maximum_number_of_vm_instances = "PLEASE ENTER MAXIMUM NUMBER OF VM INSTANCES" # 10 -management_name = "PLEASE ENTER MANAGEMENT NAME" # "mgmt" -management_IP = "PLEASE ENTER MANAGEMENT IP" # "13.92.42.181" -management_interface = "PLEASE ENTER MANAGEMENT INTERFACE" # "eth1-private" -configuration_template_name = "PLEASE ENTER CONFIGURATION TEMPLATE NAME" # "vmss_template" -notification_email = "PLEASE ENTER NOTIFICATION MAIL OR LEAVE EMPTY DOUBLE QUOTES" # "" -frontend_load_distribution = "PLEASE ENTER EXTERNAL LOAD BALANCER SESSION PERSISTENCE" # "Default" -backend_load_distribution = "PLEASE ENTER INTERNAL LOAD BALANCER SESSION PERSISTENCE" # "Default" -enable_custom_metrics = "PLEASE ENTER true or false" # true -enable_floating_ip = "PLEASE ENTER true or false" # false -deployment_mode = "PLEASE ENTER DEPLOYMENT MODE" # "Standard" -admin_shell = "PLEASE ETNER ADMIN SHELL" # "/etc/cli.sh" -serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" -maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ No newline at end of file +client_secret = "PLEASE ENTER CLIENT SECRET" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +client_id = "PLEASE ENTER CLIENT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +tenant_id = "PLEASE ENTER TENANT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +subscription_id = "PLEASE ENTER SUBSCRIPTION ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +source_image_vhd_uri = "PLEASE ENTER SOURCE IMAGE VHD URI OR noCustomUri" # "noCustomUri" +resource_group_name = "PLEASE ENTER RESOURCE GROUP NAME" # "checkpoint-vmss-terraform" +vmss_name = "PLEASE ENTER SCALE SET NAME" # "checkpoint-vmss-terraform" +location = "PLEASE ENTER LOCATION" # "eastus" +vnet_name = "PLEASE ENTER VIRTUAL NETWORK NAME" # "checkpoint-vmss-vnet" +vnet_resource_group = "PLEASE ENTER VIRTUAL NETWORK'S RESOURCE GROUP NAME" # "existing-vnet" +frontend_subnet_name = "PLEASE ENTER EXTERNAL SUBNET NAME" # "frontend" +backend_subnet_name = "PLEASE ENTER INTERNAL SUBNET NAME" # "backend" +backend_lb_IP_address = "PLEASE ENTER BACKEND LB IP ADDRESS POSITIONAL NUMBER" # 4 +admin_password = "PLEASE ENTER ADMIN PASSWORD" # "xxxxxxxxxxxx" +sic_key = "PLEASE ENTER SIC KEY" # "xxxxxxxxxxxx" +vm_size = "PLEASE ENTER VM SIZE" # "Standard_D3_v2" +disk_size = "PLEASE ENTER DISK SIZE MUST BE 100 FOR VERSIONS R81.20 AND BELOW" # "100" +vm_os_sku = "PLEASE ENTER VM SKU" # "sg-byol" +vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" +bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +allow_upload_download = "PLEASE ENTER true or false" # true +authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" +availability_zones_num = "PLEASE ENTER NUMBER OF AVAILABILITY ZONES" # "1" +minimum_number_of_vm_instances = "PLEASE ENTER MINIMUM NUMBER OF VM INSTANCES" # 2 +maximum_number_of_vm_instances = "PLEASE ENTER MAXIMUM NUMBER OF VM INSTANCES" # 10 +management_name = "PLEASE ENTER MANAGEMENT NAME" # "mgmt" +management_IP = "PLEASE ENTER MANAGEMENT IP" # "13.92.42.181" +management_interface = "PLEASE ENTER MANAGEMENT INTERFACE" # "eth1-private" +configuration_template_name = "PLEASE ENTER CONFIGURATION TEMPLATE NAME" # "vmss_template" +notification_email = "PLEASE ENTER NOTIFICATION MAIL OR LEAVE EMPTY DOUBLE QUOTES" # "" +frontend_load_distribution = "PLEASE ENTER EXTERNAL LOAD BALANCER SESSION PERSISTENCE" # "Default" +backend_load_distribution = "PLEASE ENTER INTERNAL LOAD BALANCER SESSION PERSISTENCE" # "Default" +enable_custom_metrics = "PLEASE ENTER true or false" # true +enable_floating_ip = "PLEASE ENTER true or false" # false +deployment_mode = "PLEASE ENTER DEPLOYMENT MODE" # "Standard" +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +add_storage_account_ip_rules = "PLEASE ENTER true or false" # false +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] \ No newline at end of file diff --git a/terraform/azure/vmss-existing-vnet/variables.tf b/terraform/azure/vmss-existing-vnet/variables.tf index 72ed67a4..4d356dcb 100755 --- a/terraform/azure/vmss-existing-vnet/variables.tf +++ b/terraform/azure/vmss-existing-vnet/variables.tf @@ -76,7 +76,7 @@ variable "template_name"{ variable "template_version"{ description = "Template version. It is recommended to always use the latest template version" type = string - default = "20210111" + default = "20230910" } variable "installation_type"{ @@ -106,10 +106,6 @@ variable "vm_size" { type = string } -variable "disk_size" { - description = "Storage data disk size size(GB).Select a number between 100 and 3995" - type = string -} variable "os_version" { description = "GAIA OS version" @@ -126,7 +122,15 @@ locals { // locals for 'vm_os_offer' allowed values // will fail if [var.os_version] is invalid: validate_os_version_value = index(local.os_version_allowed_values, var.os_version) } - +variable "disk_size" { + description = "Storage data disk size size(GB). Select a number between 100 and 3995, if you are using R81.20 or below, the disk size must be 100" + type = string + default = 100 +} +resource "null_resource" "disk_size_validation" { + // Will fail if var.disk_size is not 100 and the version is R81.20 or below + count = tonumber(var.disk_size) != 100 && contains(["R8040", "R81", "R8110", "R8120"], var.os_version) ? "variable disk_size can not be changed for R81.20 and below" : 0 +} variable "vm_os_sku" { description = "The sku of the image to be deployed." type = string @@ -188,6 +192,7 @@ variable "configuration_template_name" { variable "admin_shell" { description = "The admin shell to configure on machine or the first time" type = string + default = "/etc/cli.sh" } locals { @@ -228,7 +233,17 @@ variable "vnet_allocation_method" { default = "Static" } -//********************* Load Balancers Variables **********************// +variable "add_storage_account_ip_rules" { + type = bool + default = false + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] +}//********************* Load Balancers Variables **********************// variable "deployment_mode" { description = "The type of the deployment, can be 'Standard' for both load balancers or 'External' for external load balancer or 'Internal for internal load balancer" type = string @@ -257,7 +272,7 @@ variable "lb_probe_port" { variable "lb_probe_protocol" { description = "Protocols to be used for load balancer health probes and rules" - default = "tcp" + default = "Tcp" } variable "lb_probe_unhealthy_threshold" { diff --git a/terraform/azure/vmss-existing-vnet/versions.tf b/terraform/azure/vmss-existing-vnet/versions.tf new file mode 100755 index 00000000..df4caa26 --- /dev/null +++ b/terraform/azure/vmss-existing-vnet/versions.tf @@ -0,0 +1,14 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.81.0" + } + random = { + version = "~> 3.5.1" + } + } +} + + diff --git a/terraform/azure/vmss-new-vnet/README.md b/terraform/azure/vmss-new-vnet/README.md index 81ce1142..bdb644ff 100755 --- a/terraform/azure/vmss-new-vnet/README.md +++ b/terraform/azure/vmss-new-vnet/README.md @@ -75,83 +75,89 @@ This solution uses the following modules: terraform apply ### terraform.tfvars variables: - | Name | Description | Type | Allowed values | - | ------------- | ------------- |------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | - | **client_secret** | passwordThe client secret of the Service Principal used to deploy the solution | string | - | | | | | | - | **client_id** | The client ID of the Service Principal used to deploy the solution | string | - | | | | | | - | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | - | | | | | | - | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | - | | | | | | - | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images. | string | - | | | | | | - | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period | - | | | | | | - | **location** | The region where the resources will be deployed at. | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | - | | | | | | - | **vmss_name** | The name of the Check Point VMSS Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long | - | | | | | | - | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | - | | | | | | - | **address_space** | The address prefixes of the virtual network | string | Valid CIDR block | - | | | | | | - | **subnet_prefixes** | The address prefixes to be used for created subnets | string | The subnets need to contain within the address space for this virtual network(defined by address_space variable) | - | | | | | | - | **backend_lb_IP_address** | Is a whole number that can be represented as a binary integer with no more than the number of digits remaining in the address after the given prefix| number | Starting from 5-th IP address in a subnet. For example: subnet - 10.0.1.0/24, backend_lb_IP_address = 4 , the LB IP is 10.0.1.4 | - | | | | | | - | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | - | | | | | | - | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | - | | | | | | - | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | - | | | | | | - | **disk_size** | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) | - | | | | | | - | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license for R80.40 and above;
"sg-ngtp" - NGTP PAYG license for R80.40 and above;
"sg-ngtx" - NGTX PAYG license for R80.40 and above; | - | | | | | | - | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | - | | | | | | - | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | - | | | | | | - | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | - | | | | | | - | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | - | | | | | | - | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | - | | | | | | - | **availability_zones_num** | A list of a single item of the Availability Zone which the Virtual Machine should be allocated in | string | "centralus", "eastus2", "francecentral", "northeurope", "southeastasia", "westeurope", "westus2", "eastus", "uksouth" | - | | | | | | - | **minimum_number_of_vm_instances** | The minimum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | - | | | | | | - | **maximum_number_of_vm_instances** | The maximum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | - | | | | | | - | **management_name** | The name of the management server as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | - | | | | | | - | **management_IP** | The IP address used to manage the VMSS instances | string | A valid IP address | - | | | | | | - | **management_interface** | Management option for the Gateways in the VMSS | string | "eth0-public" - Manages the GWs using their external NIC's public IP address;
"eth0-private" -Manages the GWs using their external NIC's private IP address;
"eth1-private" - Manages the GWs using their internal NIC's private IP address | - | | | | | | - | **configuration_template_name** | The configuration template name as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | - | | | | | | - | **frontend_load_distribution** | The load balancing distribution method for the External Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | - | | | | | | - | **backend_load_distribution** | The load balancing distribution method for the Internal Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | - | | | | | | - | **notification_email** | An email address to notify about scaling operations | string | Leave empty double quotes or enter a valid email address | - | | | | | | - | **enable_custom_metrics** | Indicates whether Custom Metrics will be used for VMSS Scaling policy and VM monitoring | boolean | true;
false; | - | | | | | | - | **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP. | boolean | true;
false; | - | | | | | | - | **deployment_mode** | Indicates which load balancer need to be deployed. External + Internal, only External, only Internal. | string | Standard (Default);
External;
Internal; | - | | | | | | - | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | + | Name | Description | Type | Allowed values | Default | + | ------------- | ------------- | ------------- |---------| ------------- | + | **client_secret** | The client secret of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **client_id** | The client ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **tenant_id** | The tenant ID of the Service Principal used to deploy the solution | string | | n/a + | | | | | | + | **subscription_id** | The subscription ID is used to pay for Azure cloud services | string | | n/a + | | | | | | + | **source_image_vhd_uri** | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images | string | | "noCustomUri" + | | | | | | + | **resource_group_name** | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period
Note: Resource group name must not contain reserved words based on: sk40179| n/a + | | | | | | + | **location** | The region where the resources will be deployed at | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions | n/a + | | | | | | + | **vmss_name** | The name of the Check Point VMSS Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long
Note: vmss name must not contain reserved words based on: sk40179 | n/a + | | | | | | + | **vnet_name** | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens | n/a + | | | | | | + | **address_space** | The address prefixes of the virtual network | string | Valid CIDR block | "10.0.0.0/16" + | | | | | | + | **subnet_prefixes** | The address prefixes to be used for created subnets | string | The subnets need to contain within the address space for this virtual network(defined by address_space variable) | ["10.0.0.0/24","10.0.1.0/24"] + | | | | | | + | **backend_lb_IP_address** | Is a whole number that can be represented as a binary integer with no more than the number of digits remaining in the address after the given prefix| number | Starting from 5-th IP address in a subnet. For example: subnet - 10.0.1.0/24, backend_lb_IP_address = 4 , the LB IP is 10.0.1.4 | n/a + | | | | | | + | **admin_password** | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character | n/a + | | | | | | + | **sic_key** | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long | n/a + | | | | | | + | **vm_size** | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" | n/a + | | | | | | + | **disk_size** | Storage data disk size size(GB) must be 100 for versions R81.20 and below | string | A number in the range 100 - 3995 (GB) | 100 + | | | | | | + | **vm_os_sku** | A sku of the image to be deployed | string | "sg-byol" - BYOL license;
"sg-ngtp" - NGTP PAYG license;
"sg-ngtx" - NGTX PAYG license; | n/a + | | | | | | + | **vm_os_offer** | The name of the image offer to be deployed | string | "check-point-cg-r8040";
"check-point-cg-r81";
"check-point-cg-r8110";
"check-point-cg-r8120"; | n/a + | | | | | | + | **os_version** | GAIA OS version | string | "R8040";
"R81";
"R8110";
"R8120"; | n/a + | | | | | | + | **bootstrap_script** | An optional script to run on the initial boot | string | Bootstrap script example:
"touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it | n/a + | | | | | | + | **allow_upload_download** | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true;
false; | n/a + | | | | | | + | **authentication_type** | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password";
"SSH Public Key"; | n/a + | | | | | | + | **availability_zones_num** | A list of a single item of the Availability Zone which the Virtual Machine should be allocated in | string | "centralus", "eastus2", "francecentral", "northeurope", "southeastasia", "westeurope", "westus2", "eastus", "uksouth" | n/a + | | | | | | + | **minimum_number_of_vm_instances** | The minimum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | n/a + | | | | | | + | **maximum_number_of_vm_instances** | The maximum number of VMSS instances for this resource | number | Valid values are in the range 0 - 10 | n/a + | | | | | | + | **management_name** | The name of the management server as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | n/a + | | | | | | + | **management_IP** | The IP address used to manage the VMSS instances | string | A valid IP address | n/a + | | | | | | + | **management_interface** | Management option for the Gateways in the VMSS | string | "eth0-public" - Manages the GWs using their external NIC's public IP address;
"eth0-private" -Manages the GWs using their external NIC's private IP address;
"eth1-private" - Manages the GWs using their internal NIC's private IP address | "eth1-private" + | | | | | | + | **configuration_template_name** | The configuration template name as it appears in the configuration file | string | Field cannot be empty. Only alphanumeric characters or '_'/'-' are allowed, and the name must be 1-30 characters long | n/a + | | | | | | + | **frontend_load_distribution** | The load balancing distribution method for the External Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | n/a + | | | | | | + | **backend_load_distribution** | The load balancing distribution method for the Internal Load Balancer | string | "Default" - None(5-tuple);
"SourceIP" - ClientIP(2-tuple);
"SourceIPProtocol" - ClientIP and protocol(3-tuple) | n/a + | | | | | | + | **notification_email** | An email address to notify about scaling operations | string | Leave empty double quotes or enter a valid email address | n/a + | | | | | | + | **enable_custom_metrics** | Indicates whether Custom Metrics will be used for VMSS Scaling policy and VM monitoring | boolean | true;
false; | n/a + | | | | | | + | **enable_floating_ip** | Indicates whether the load balancers will be deployed with floating IP | boolean | true;
false; | n/a + | | | | | | + | **deployment_mode** | Indicates which load balancer need to be deployed. External + Internal(Standard), only External, only Internal | string | Standard ;
External;
Internal; | "Standard" + | | | | | | + | **admin_shell** | Enables to select different admin shells | string | /etc/cli.sh;
/bin/bash;
/bin/csh;
/bin/tcsh; | "/etc/cli.sh" + | | | | | | + | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here | string | | n/a + | | | | | | + | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | n/a + | | | | | | + | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID | "" | | | | | | - | **serial_console_password_hash** | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here. | string | + | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false; | false | | | | | | - | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | + | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs | [] ## Conditional creation To create role assignment and enable CloudGuard metrics in order to send statuses and statistics collected from VMSS instances to the Azure Monitor service: @@ -175,10 +181,10 @@ enable_custom_metrics = true admin_password = "xxxxxxxxxxxx" sic_key = "xxxxxxxxxxxx" vm_size = "Standard_D3_v2" - disk_size = "110" + disk_size = "100" vm_os_sku = "sg-byol" vm_os_offer = "check-point-cg-r8110" - os_version = "R81.10" + os_version = "R8110" bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" allow_upload_download = true authentication_type = "Password" @@ -197,8 +203,10 @@ enable_custom_metrics = true deployment_mode = "Standard" admin_shell = "/etc/cli.sh" serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + nsg_id = "" + add_storage_account_ip_rules = false + storage_account_additional_ips = [] ## Deploy Without Public IP @@ -206,19 +214,18 @@ enable_custom_metrics = true 2. To deploy without public IP, remove the "public_ip_address_configuration" block in main.tf ## Known limitations - -1. Deploy the VMSS with External load balancer only (Inbound inspection only) is not supported -2. Deploy the VMSS with Internal load balancer only (Outbound and E-W inspection only) is not supported ## Revision History In order to check the template version refer to the [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585) -| Template Version | Description | -| ---------------- | ------------- | +| Template Version | Description | +| ---------------- | --------- | +| 20230910 | - R81.20 is the default version | +| | | | | 20221124 | - Added R81.20 support
- Upgraded azurerm provider | | | | | -| 20220111 | - Added support to select different shells. | +| 20220111 | - Added support to select different shells | | | | | | 20210309 | - Add "source_image_vhd_uri" variable for using a custom development image
- Fix zones filed for scale set be installed as multi-zone
- Modify "management_interface" variable and tags regarding managing the Gateways in the Scale Set | | | | | @@ -228,7 +235,7 @@ In order to check the template version refer to the [sk116585](https://supportce | | | | | 20200305 | First release of Check Point CloudGuard IaaS VMSS Terraform deployment for Azure | | | | | -| | Addition of "templateType" parameter to "cloud-version" files. | +| | Addition of "templateType" parameter to "cloud-version" files | | | | | diff --git a/terraform/azure/vmss-new-vnet/main.tf b/terraform/azure/vmss-new-vnet/main.tf index c4c02de6..967fd8c8 100755 --- a/terraform/azure/vmss-new-vnet/main.tf +++ b/terraform/azure/vmss-new-vnet/main.tf @@ -1,16 +1,3 @@ -terraform { - required_version = ">= 0.14.3" - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "~> 2.92.0" - } - random = { - version = "~> 2.2.1" - } - } -} - provider "azurerm" { subscription_id = var.subscription_id client_id = var.client_id @@ -40,6 +27,7 @@ module "common" { authentication_type = var.authentication_type serial_console_password_hash = var.serial_console_password_hash maintenance_mode_password_hash = var.maintenance_mode_password_hash + storage_account_additional_ips = var.storage_account_additional_ips } //********************** Networking **************************// @@ -48,13 +36,14 @@ module "vnet" { vnet_name = var.vnet_name resource_group_name = module.common.resource_group_name location = module.common.resource_group_location - nsg_id = module.network-security-group.network_security_group_id + nsg_id = var.nsg_id == "" ? module.network-security-group[0].network_security_group_id: var.nsg_id address_space = var.address_space subnet_prefixes = var.subnet_prefixes } module "network-security-group" { source = "../modules/network-security-group" + count = var.nsg_id == "" ? 1 : 0 resource_group_name = module.common.resource_group_name security_group_name = "${module.common.resource_group_name}_nsg" location = module.common.resource_group_location @@ -100,17 +89,16 @@ resource "azurerm_lb" "frontend-lb" { resource_group_name = module.common.resource_group_name sku = var.sku - frontend_ip_configuration { - name = "${var.vmss_name}-app-1" - public_ip_address_id = azurerm_public_ip.public-ip-lb[0].id - } + frontend_ip_configuration { + name = "${var.vmss_name}-app-1" + public_ip_address_id = azurerm_public_ip.public-ip-lb[0].id + } } resource "azurerm_lb_backend_address_pool" "frontend-lb-pool" { - count = var.deployment_mode != "Internal" ? 1 : 0 - resource_group_name = module.common.resource_group_name - loadbalancer_id = azurerm_lb.frontend-lb[0].id - name = "${var.vmss_name}-app-1" + count = var.deployment_mode != "Internal" ? 1 : 0 + loadbalancer_id = azurerm_lb.frontend-lb[0].id + name = "${var.vmss_name}-app-1" } resource "azurerm_lb" "backend-lb" { @@ -121,7 +109,7 @@ resource "azurerm_lb" "backend-lb" { sku = var.sku frontend_ip_configuration { name = "backend-lb" - subnet_id = module.vnet.vnet_subnets[1] + subnet_id = module.vnet.vnet_subnets[1] private_ip_address_allocation = module.vnet.allocation_method private_ip_address = cidrhost(module.vnet.subnet_prefixes[1], var.backend_lb_IP_address) } @@ -131,12 +119,11 @@ resource "azurerm_lb_backend_address_pool" "backend-lb-pool" { count = var.deployment_mode != "External" ? 1 : 0 name = "backend-lb-pool" loadbalancer_id = azurerm_lb.backend-lb[0].id - resource_group_name = module.common.resource_group_name } resource "azurerm_lb_probe" "azure_lb_healprob" { count = var.deployment_mode == "Standard" ? 2 : 1 - resource_group_name = module.common.resource_group_name + depends_on = [azurerm_lb.frontend-lb, azurerm_lb.backend-lb] loadbalancer_id = var.deployment_mode == "Standard" ? (count.index == 0 ? azurerm_lb.frontend-lb[0].id : azurerm_lb.backend-lb[0].id) : (var.deployment_mode == "External" ? azurerm_lb.frontend-lb[0].id : azurerm_lb.backend-lb[0].id) name = var.deployment_mode == "Standard" ? (count.index == 0 ? "${var.vmss_name}-app-1" : "backend-lb") : (var.deployment_mode == "External" ? "${var.vmss_name}-app-1" : "backend-lb") protocol = var.lb_probe_protocol @@ -149,13 +136,12 @@ resource "azurerm_lb_probe" "azure_lb_healprob" { resource "azurerm_lb_rule" "lbnatrule-standard" { count = var.deployment_mode == "Standard" ? 2 : 0 depends_on = [azurerm_lb.frontend-lb[0],azurerm_lb_probe.azure_lb_healprob,azurerm_lb.backend-lb[0]] - resource_group_name = module.common.resource_group_name loadbalancer_id = count.index == 0 ? azurerm_lb.frontend-lb[0].id : azurerm_lb.backend-lb[0].id name = count.index == 0 ? "${var.vmss_name}-app-1" : "backend-lb" protocol = count.index == 0 ? "Tcp" : "All" frontend_port = count.index == 0 ? var.frontend_port : "0" backend_port = count.index == 0 ? var.backend_port : "0" - backend_address_pool_id = count.index == 0 ? azurerm_lb_backend_address_pool.frontend-lb-pool[0].id : azurerm_lb_backend_address_pool.backend-lb-pool[0].id + backend_address_pool_ids = count.index == 0 ? [azurerm_lb_backend_address_pool.frontend-lb-pool[0].id] : [azurerm_lb_backend_address_pool.backend-lb-pool[0].id] frontend_ip_configuration_name = count.index == 0 ? azurerm_lb.frontend-lb[0].frontend_ip_configuration[0].name : azurerm_lb.backend-lb[0].frontend_ip_configuration[0].name probe_id = azurerm_lb_probe.azure_lb_healprob[count.index].id load_distribution = count.index == 0 ? var.frontend_load_distribution : var.backend_load_distribution @@ -166,13 +152,12 @@ resource "azurerm_lb_rule" "lbnatrule-standard" { resource "azurerm_lb_rule" "lbnatrule-external" { count = var.deployment_mode == "External" ? 1 : 0 depends_on = [azurerm_lb.frontend-lb[0],azurerm_lb_probe.azure_lb_healprob] - resource_group_name = module.common.resource_group_name loadbalancer_id = azurerm_lb.frontend-lb[0].id name = "${var.vmss_name}-app-1" protocol = "Tcp" frontend_port = var.frontend_port backend_port = var.backend_port - backend_address_pool_id = azurerm_lb_backend_address_pool.frontend-lb-pool[0].id + backend_address_pool_ids = [azurerm_lb_backend_address_pool.frontend-lb-pool[0].id] frontend_ip_configuration_name = azurerm_lb.frontend-lb[0].frontend_ip_configuration[0].name probe_id = azurerm_lb_probe.azure_lb_healprob[0].id load_distribution = var.frontend_load_distribution @@ -183,13 +168,12 @@ resource "azurerm_lb_rule" "lbnatrule-external" { resource "azurerm_lb_rule" "lbnatrule-internal" { count = var.deployment_mode == "Internal" ? 1 : 0 depends_on = [azurerm_lb_probe.azure_lb_healprob,azurerm_lb.backend-lb[0]] - resource_group_name = module.common.resource_group_name loadbalancer_id = azurerm_lb.backend-lb[0].id name = "backend-lb" protocol = "All" frontend_port = "0" backend_port = "0" - backend_address_pool_id = azurerm_lb_backend_address_pool.backend-lb-pool[0].id + backend_address_pool_ids = [azurerm_lb_backend_address_pool.backend-lb-pool[0].id] frontend_ip_configuration_name = azurerm_lb.backend-lb[0].frontend_ip_configuration[0].name probe_id = azurerm_lb_probe.azure_lb_healprob[0].id load_distribution = var.backend_load_distribution @@ -206,11 +190,20 @@ resource "random_id" "randomId" { byte_length = 8 } resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { - name = "diag${random_id.randomId.hex}" - resource_group_name = module.common.resource_group_name - location = module.common.resource_group_location - account_tier = module.common.storage_account_tier - account_replication_type = module.common.account_replication_type + name = "diag${random_id.randomId.hex}" + resource_group_name = module.common.resource_group_name + location = module.common.resource_group_location + account_tier = module.common.storage_account_tier + account_replication_type = module.common.account_replication_type + network_rules { + default_action = var.add_storage_account_ip_rules ? "Deny" : "Allow" + ip_rules = module.common.storage_account_ip_rules + } + blob_properties { + delete_retention_policy { + days = "15" + } + } } //********************** Virtual Machines **************************// @@ -235,38 +228,41 @@ resource "azurerm_image" "custom-image" { } } -resource "azurerm_virtual_machine_scale_set" "vmss" { +resource "azurerm_linux_virtual_machine_scale_set" "vmss" { name = var.vmss_name location = module.common.resource_group_location resource_group_name = module.common.resource_group_name + sku = module.common.vm_size zones = local.availability_zones_num_condition + instances = var.number_of_vm_instances overprovision = false dynamic "identity" { - for_each = var.enable_custom_metrics ? [ - 1] : [] + for_each = var.enable_custom_metrics ? [1] : [] content { type = "SystemAssigned" } } - storage_profile_image_reference { - id = local.custom_image_condition ? azurerm_image.custom-image[0].id : null - publisher = local.custom_image_condition ? null : module.common.publisher - offer = module.common.vm_os_offer - sku = module.common.vm_os_sku - version = module.common.vm_os_version + dynamic "source_image_reference" { + for_each = local.custom_image_condition ? [] : [1] + content { + publisher = module.common.publisher + offer = module.common.vm_os_offer + sku = module.common.vm_os_sku + version = module.common.vm_os_version + } } + source_image_id = local.custom_image_condition? azurerm_image.custom-image[0].id : null - storage_profile_os_disk { - create_option = module.common.storage_os_disk_create_option + os_disk { + disk_size_gb = module.common.disk_size caching = module.common.storage_os_disk_caching - managed_disk_type = module.common.storage_account_type + storage_account_type = module.common.storage_account_type } dynamic "plan" { - for_each = local.custom_image_condition ? [ - ] : [1] + for_each = local.custom_image_condition ? [] : [1] content { name = module.common.vm_os_sku publisher = module.common.publisher @@ -274,73 +270,70 @@ resource "azurerm_virtual_machine_scale_set" "vmss" { } } - os_profile { - computer_name_prefix = var.vmss_name - admin_username = module.common.admin_username - admin_password = module.common.admin_password - custom_data = templatefile("${path.module}/cloud-init.sh",{ - installation_type=module.common.installation_type - allow_upload_download= module.common.allow_upload_download - os_version=module.common.os_version - template_name=module.common.template_name - template_version=module.common.template_version - template_type = "terraform" - is_blink=module.common.is_blink - bootstrap_script64=base64encode(var.bootstrap_script) - location=module.common.resource_group_location - sic_key=var.sic_key - vnet=module.vnet.subnet_prefixes[0] - enable_custom_metrics=var.enable_custom_metrics ? "yes" : "no" - admin_shell = var.admin_shell - serial_console_password_hash = var.serial_console_password_hash - maintenance_mode_password_hash = var.maintenance_mode_password_hash - }) - } + computer_name_prefix = var.vmss_name + admin_username = module.common.admin_username + admin_password = module.common.admin_password + custom_data = base64encode(templatefile("${path.module}/cloud-init.sh", { + installation_type = module.common.installation_type + allow_upload_download = module.common.allow_upload_download + os_version = module.common.os_version + template_name = module.common.template_name + template_version = module.common.template_version + template_type = "terraform" + is_blink = module.common.is_blink + bootstrap_script64 = base64encode(var.bootstrap_script) + location = module.common.resource_group_location + sic_key = var.sic_key + vnet = module.vnet.subnet_prefixes[0] + enable_custom_metrics = var.enable_custom_metrics ? "yes" : "no" + admin_shell = var.admin_shell + serial_console_password_hash = var.serial_console_password_hash + maintenance_mode_password_hash = var.maintenance_mode_password_hash + })) + - os_profile_linux_config { disable_password_authentication = local.SSH_authentication_type_condition - dynamic "ssh_keys" { + dynamic "admin_ssh_key" { for_each = local.SSH_authentication_type_condition ? [ 1] : [] content { - path = "/home/notused/.ssh/authorized_keys" - key_data = file("${path.module}/azure_public_key") + public_key = file("azure_public_key") + username = "notused" } } - } + boot_diagnostics { - enabled = module.common.boot_diagnostics - storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" + storage_account_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" } - upgrade_policy_mode = "Manual" + upgrade_mode = "Manual" - network_profile { + network_interface { name = "eth0" primary = true - ip_forwarding = false - accelerated_networking = true - network_security_group_id = module.network-security-group.network_security_group_id + enable_ip_forwarding = true + enable_accelerated_networking = true + network_security_group_id = module.network-security-group[0].network_security_group_id ip_configuration { name = "ipconfig1" subnet_id = module.vnet.vnet_subnets[0] load_balancer_backend_address_pool_ids = var.deployment_mode != "Internal" ? [azurerm_lb_backend_address_pool.frontend-lb-pool[0].id]: null primary = true - public_ip_address_configuration { - name = "${var.vmss_name}-public-ip" - idle_timeout = 15 - domain_name_label = "${lower(var.vmss_name)}-dns-name" + public_ip_address { + name = "${var.vmss_name}-public-ip" + idle_timeout_in_minutes = 15 + domain_name_label = "${lower(var.vmss_name)}-dns-name" } } } - network_profile { + network_interface { name = "eth1" primary = false - ip_forwarding = true - accelerated_networking = true + enable_ip_forwarding = true + enable_accelerated_networking = true ip_configuration { name = "ipconfig2" subnet_id = module.vnet.vnet_subnets[1] @@ -348,11 +341,6 @@ resource "azurerm_virtual_machine_scale_set" "vmss" { primary = true } } - sku { - capacity = var.number_of_vm_instances - name = module.common.vm_size - tier = "Standard" - } tags = var.management_interface == "eth0"?{ x-chkp-management = var.management_name, @@ -362,7 +350,7 @@ resource "azurerm_virtual_machine_scale_set" "vmss" { x-chkp-management-address = var.management_IP, x-chkp-topology = "eth0:external,eth1:internal", x-chkp-anti-spoofing = "eth0:false,eth1:false", - x-chkp-srcImageUri = var.source_image_vhd_uri, + x-chkp-srcImageUri = var.source_image_vhd_uri }:{ x-chkp-management = var.management_name, x-chkp-template = var.configuration_template_name, @@ -370,16 +358,16 @@ resource "azurerm_virtual_machine_scale_set" "vmss" { x-chkp-management-interface = local.management_interface_name, x-chkp-topology = "eth0:external,eth1:internal", x-chkp-anti-spoofing = "eth0:false,eth1:false", - x-chkp-srcImageUri = var.source_image_vhd_uri, + x-chkp-srcImageUri = var.source_image_vhd_uri } } resource "azurerm_monitor_autoscale_setting" "vmss_settings" { - depends_on = [azurerm_virtual_machine_scale_set.vmss] + depends_on = [azurerm_linux_virtual_machine_scale_set.vmss] name = var.vmss_name resource_group_name = module.common.resource_group_name location = module.common.resource_group_location - target_resource_id = azurerm_virtual_machine_scale_set.vmss.id + target_resource_id = azurerm_linux_virtual_machine_scale_set.vmss.id profile { name = "Profile1" @@ -393,7 +381,7 @@ resource "azurerm_monitor_autoscale_setting" "vmss_settings" { rule { metric_trigger { metric_name = "Percentage CPU" - metric_resource_id = azurerm_virtual_machine_scale_set.vmss.id + metric_resource_id = azurerm_linux_virtual_machine_scale_set.vmss.id time_grain = "PT1M" statistic = "Average" time_window = "PT5M" @@ -413,7 +401,7 @@ resource "azurerm_monitor_autoscale_setting" "vmss_settings" { rule { metric_trigger { metric_name = "Percentage CPU" - metric_resource_id = azurerm_virtual_machine_scale_set.vmss.id + metric_resource_id = azurerm_linux_virtual_machine_scale_set.vmss.id time_grain = "PT1M" statistic = "Average" time_window = "PT5M" @@ -441,14 +429,14 @@ resource "azurerm_monitor_autoscale_setting" "vmss_settings" { } resource "azurerm_role_assignment" "custom_metrics_role_assignment"{ - depends_on = [azurerm_virtual_machine_scale_set.vmss] + depends_on = [azurerm_linux_virtual_machine_scale_set.vmss] count = var.enable_custom_metrics ? 1 : 0 role_definition_id = join("", ["/subscriptions/", var.subscription_id, "/providers/Microsoft.Authorization/roleDefinitions/", "3913510d-42f4-4e42-8a64-420c390055eb"]) - principal_id = lookup(azurerm_virtual_machine_scale_set.vmss.identity[0], "principal_id") + principal_id = lookup(azurerm_linux_virtual_machine_scale_set.vmss.identity[0], "principal_id") scope = module.common.resource_group_id lifecycle { ignore_changes = [ role_definition_id, principal_id ] } -} \ No newline at end of file +} diff --git a/terraform/azure/vmss-new-vnet/terraform.tfvars b/terraform/azure/vmss-new-vnet/terraform.tfvars index 7ec1a18f..73266464 100755 --- a/terraform/azure/vmss-new-vnet/terraform.tfvars +++ b/terraform/azure/vmss-new-vnet/terraform.tfvars @@ -1,39 +1,42 @@ //#PLEASE refer to the README.md for accepted values FOR THE VARIABLES BELOW -client_secret = "PLEASE ENTER CLIENT SECRET" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" -client_id = "PLEASE ENTER CLIENT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" -tenant_id = "PLEASE ENTER TENANT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" -subscription_id = "PLEASE ENTER SUBSCRIPTION ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" -source_image_vhd_uri = "PLEASE ENTER SOURCE IMAGE VHD URI OR noCustomUri" # "noCustomUri" -resource_group_name = "PLEASE ENTER RESOURCE GROUP NAME" # "checkpoint-vmss-terraform" -vmss_name = "PLEASE ENTER SCALE SET NAME" # "checkpoint-vmss-terraform" -location = "PLEASE ENTER LOCATION" # "eastus" -vnet_name = "PLEASE ENTER VIRTUAL NETWORK NAME" # "checkpoint-vmss-vnet" -address_space = "PLEASE ENTER VIRTUAL NETWORK ADDRESS SPACE" # "10.0.0.0/16" -subnet_prefixes = "PLEASE ENTER ADDRESS PREFIXES FOR SUBNETS" # ["10.0.1.0/24","10.0.2.0/24"] -backend_lb_IP_address = "PLEASE ENTER BACKEND LB IP ADDRESS POSITIONAL NUMBER" # 4 -admin_password = "PLEASE ENTER ADMIN PASSWORD" # "xxxxxxxxxxxx" -sic_key = "PLEASE ENTER SIC KEY" # "xxxxxxxxxxxx" -vm_size = "PLEASE ENTER VM SIZE" # "Standard_D3_v2" -disk_size = "PLEASE ENTER DISK SIZE" # "110" -vm_os_sku = "PLEASE ENTER VM SKU" # "sg-byol" -vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" -os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" -bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" -allow_upload_download = "PLEASE ENTER true or false" # true -authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" -availability_zones_num = "PLEASE ENTER NUMBER OF AVAILABILITY ZONES" # "1" -minimum_number_of_vm_instances = "PLEASE ENTER MINIMUM NUMBER OF VM INSTANCES" # 2 -maximum_number_of_vm_instances = "PLEASE ENTER MAXIMUM NUMBER OF VM INSTANCES" # 10 -management_name = "PLEASE ENTER MANAGEMENT NAME" # "mgmt" -management_IP = "PLEASE ENTER MANAGEMENT IP" # "13.92.42.181" -management_interface = "PLEASE ENTER MANAGEMENT INTERFACE" # "eth1-private" -configuration_template_name = "PLEASE ENTER CONFIGURATION TEMPLATE NAME" # "vmss_template" -notification_email = "PLEASE ENTER NOTIFICATION MAIL OR LEAVE EMPTY DOUBLE QUOTES" # "" -frontend_load_distribution = "PLEASE ENTER EXTERNAL LOAD BALANCER SESSION PERSISTENCE" # "Default" -backend_load_distribution = "PLEASE ENTER INTERNAL LOAD BALANCER SESSION PERSISTENCE" # "Default" -enable_custom_metrics = "PLEASE ENTER true or false" # true -enable_floating_ip = "PLEASE ENTER true or false" # false -deployment_mode = "PLEASE ENTER DEPLOYMENT MODE" # "Standard" -admin_shell = "PLEASE ETNER ADMIN SHELL" # "/etc/cli.sh" -serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" -maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \ No newline at end of file +client_secret = "PLEASE ENTER CLIENT SECRET" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +client_id = "PLEASE ENTER CLIENT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +tenant_id = "PLEASE ENTER TENANT ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +subscription_id = "PLEASE ENTER SUBSCRIPTION ID" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +source_image_vhd_uri = "PLEASE ENTER SOURCE IMAGE VHD URI OR noCustomUri" # "noCustomUri" +resource_group_name = "PLEASE ENTER RESOURCE GROUP NAME" # "checkpoint-vmss-terraform" +vmss_name = "PLEASE ENTER SCALE SET NAME" # "checkpoint-vmss-terraform" +location = "PLEASE ENTER LOCATION" # "eastus" +vnet_name = "PLEASE ENTER VIRTUAL NETWORK NAME" # "checkpoint-vmss-vnet" +address_space = "PLEASE ENTER VIRTUAL NETWORK ADDRESS SPACE" # "10.0.0.0/16" +subnet_prefixes = "PLEASE ENTER ADDRESS PREFIXES FOR SUBNETS" # ["10.0.1.0/24","10.0.2.0/24"] +backend_lb_IP_address = "PLEASE ENTER BACKEND LB IP ADDRESS POSITIONAL NUMBER" # 4 +admin_password = "PLEASE ENTER ADMIN PASSWORD" # "xxxxxxxxxxxx" +sic_key = "PLEASE ENTER SIC KEY" # "xxxxxxxxxxxx" +vm_size = "PLEASE ENTER VM SIZE" # "Standard_D3_v2" +disk_size = "PLEASE ENTER DISK SIZE MUST BE 100 FOR VERSIONS R81.20 AND BELOW" # "100" +vm_os_sku = "PLEASE ENTER VM SKU" # "sg-byol" +vm_os_offer = "PLEASE ENTER VM OFFER" # "check-point-cg-r8110" +os_version = "PLEASE ENTER GAIA OS VERSION" # "R8110" +bootstrap_script = "PLEASE ENTER CUSTOM SCRIPT OR LEAVE EMPTY DOUBLE QUOTES" # "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" +allow_upload_download = "PLEASE ENTER true or false" # true +authentication_type = "PLEASE ENTER AUTHENTICATION TYPE" # "Password" +availability_zones_num = "PLEASE ENTER NUMBER OF AVAILABILITY ZONES" # "1" +minimum_number_of_vm_instances = "PLEASE ENTER MINIMUM NUMBER OF VM INSTANCES" # 2 +maximum_number_of_vm_instances = "PLEASE ENTER MAXIMUM NUMBER OF VM INSTANCES" # 10 +management_name = "PLEASE ENTER MANAGEMENT NAME" # "mgmt" +management_IP = "PLEASE ENTER MANAGEMENT IP" # "13.92.42.181" +management_interface = "PLEASE ENTER MANAGEMENT INTERFACE" # "eth1-private" +configuration_template_name = "PLEASE ENTER CONFIGURATION TEMPLATE NAME" # "vmss_template" +notification_email = "PLEASE ENTER NOTIFICATION MAIL OR LEAVE EMPTY DOUBLE QUOTES" # "" +frontend_load_distribution = "PLEASE ENTER EXTERNAL LOAD BALANCER SESSION PERSISTENCE" # "Default" +backend_load_distribution = "PLEASE ENTER INTERNAL LOAD BALANCER SESSION PERSISTENCE" # "Default" +enable_custom_metrics = "PLEASE ENTER true or false" # true +enable_floating_ip = "PLEASE ENTER true or false" # false +deployment_mode = "PLEASE ENTER DEPLOYMENT MODE" # "Standard" +admin_shell = "PLEASE ENTER ADMIN SHELL" # "/etc/cli.sh" +serial_console_password_hash = "PLEASE ENTER SERIAL CONSOLE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +maintenance_mode_password_hash = "PLEASE ENTER MAINTENANCE MODE PASSWORD HASH" # "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" +nsg_id = "PLEASE ENTER NETWORK SECURITY GROUP ID" # "" +add_storage_account_ip_rules = "PLEASE ENTER true or false" # false +storage_account_additional_ips = "PLEASE ENTER A LIST OF VALID IPS/CIDRS" # [] \ No newline at end of file diff --git a/terraform/azure/vmss-new-vnet/variables.tf b/terraform/azure/vmss-new-vnet/variables.tf index 519e620c..1760b8a2 100755 --- a/terraform/azure/vmss-new-vnet/variables.tf +++ b/terraform/azure/vmss-new-vnet/variables.tf @@ -76,7 +76,7 @@ variable "template_name"{ variable "template_version"{ description = "Template version. It is recommended to always use the latest template version" type = string - default = "20210111" + default = "20230910" } variable "installation_type"{ @@ -106,10 +106,6 @@ variable "vm_size" { type = string } -variable "disk_size" { - description = "Storage data disk size size(GB).Select a number between 100 and 3995" - type = string -} variable "os_version" { description = "GAIA OS version" @@ -126,7 +122,15 @@ locals { // locals for 'vm_os_offer' allowed values // will fail if [var.os_version] is invalid: validate_os_version_value = index(local.os_version_allowed_values, var.os_version) } - +variable "disk_size" { + description = "Storage data disk size size(GB). Select a number between 100 and 3995, if you are using R81.20 or below, the disk size must be 100" + type = string + default = 100 +} +resource "null_resource" "disk_size_validation" { + // Will fail if var.disk_size is not 100 and the version is R81.20 or below + count = tonumber(var.disk_size) != 100 && contains(["R8040", "R81", "R8110", "R8120"], var.os_version) ? "variable disk_size can not be changed for R81.20 and below" : 0 +} variable "vm_os_sku" { description = "The sku of the image to be deployed." type = string @@ -188,6 +192,7 @@ variable "configuration_template_name" { variable "admin_shell" { description = "The admin shell to configure on machine or the first time" type = string + default = "/etc/cli.sh" } locals { @@ -219,6 +224,22 @@ variable "subnet_prefixes" { default = ["10.0.0.0/24","10.0.1.0/24"] } +variable "nsg_id" { + description = "NSG ID - Optional - if empty use default NSG" + default = "" +} + +variable "add_storage_account_ip_rules" { + type = bool + default = false + description = "Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location" +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] +} //********************* Load Balancers Variables **********************// variable "deployment_mode" { description = "The type of the deployment, can be 'Standard' for both load balancers or 'External' for external load balancer or 'Internal for internal load balancer" @@ -248,7 +269,7 @@ variable "lb_probe_port" { variable "lb_probe_protocol" { description = "Protocols to be used for load balancer health probes and rules" - default = "tcp" + default = "Tcp" } variable "lb_probe_unhealthy_threshold" { diff --git a/terraform/azure/vmss-new-vnet/versions.tf b/terraform/azure/vmss-new-vnet/versions.tf new file mode 100755 index 00000000..df4caa26 --- /dev/null +++ b/terraform/azure/vmss-new-vnet/versions.tf @@ -0,0 +1,14 @@ +terraform { + required_version = ">= 0.14.3" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 3.81.0" + } + random = { + version = "~> 3.5.1" + } + } +} + +