diff --git a/aws/templates/asg/autoscale-master.yaml b/aws/templates/asg/autoscale-master.yaml new file mode 100755 index 00000000..cd92073a --- /dev/null +++ b/aws/templates/asg/autoscale-master.yaml @@ -0,0 +1,759 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Create an Auto Scaling group of Check Point gateways into a new VPC (__VERSION__) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - AvailabilityZones + - NumberOfAZs + - VPCCIDR + - PublicSubnet1CIDR + - PublicSubnet2CIDR + - PublicSubnet3CIDR + - PublicSubnet4CIDR + - PrivateSubnet1CIDR + - PrivateSubnet2CIDR + - PrivateSubnet3CIDR + - PrivateSubnet4CIDR + - Label: + default: EC2 Instances Configuration + Parameters: + - GatewayName + - GatewayInstanceType + - KeyName + - VolumeSize + - VolumeType + - EnableVolumeEncryption + - EnableInstanceConnect + - MetaDataToken + - Label: + default: Auto Scaling Configuration + Parameters: + - GatewaysMinSize + - GatewaysMaxSize + - AdminEmail + - GatewaysTargetGroups + - Label: + default: Check Point Settings + Parameters: + - GatewayVersion + - Shell + - GatewayPasswordHash + - GatewayMaintenancePasswordHash + - GatewaySICKey + - AllowUploadDownload + - CloudWatch + - GatewayBootstrapScript + - Label: + default: Automatic Provisioning with Security Management Server Settings + Parameters: + - ControlGatewayOverPrivateOrPublicAddress + - ManagementServer + - ConfigurationTemplate + - Label: + default: Proxy Configuration (optional) + Parameters: + - ELBType + - ELBPort + - ELBClients + ParameterLabels: + AvailabilityZones: + default: Availability Zones + NumberOfAZs: + default: Number of AZs + VPCCIDR: + default: VPC CIDR + PublicSubnet1CIDR: + default: Public Subnet 1 + PublicSubnet2CIDR: + default: Public Subnet 2 + PublicSubnet3CIDR: + default: Public Subnet 3 + PublicSubnet4CIDR: + default: Public Subnet 4 + PrivateSubnet1CIDR: + default: Private Subnet 1 + PrivateSubnet2CIDR: + default: Private Subnet 2 + PrivateSubnet3CIDR: + default: Private Subnet 3 + PrivateSubnet4CIDR: + default: Private Subnet 4 + GatewayName: + default: Gateways name + GatewayInstanceType: + default: Gateways instance type + KeyName: + default: Key name + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + EnableVolumeEncryption: + default: Enable volume encryption + EnableInstanceConnect: + default: Enable AWS Instance Connect + MetaDataToken: + default: Metadata HTTP token + GatewaysMinSize: + default: Minimum Gateway group size + GatewaysMaxSize: + default: Maximum Gateway group size + AdminEmail: + default: Email address + GatewaysTargetGroups: + default: Gateways target groups + GatewayVersion: + default: Gateways version & license + Shell: + default: Admin shell + GatewayPasswordHash: + default: Gateways Password hash + GatewayMaintenancePasswordHash: + default: Gateway Maintenance Password hash + GatewaySICKey: + default: Gateways SIC key + AllowUploadDownload: + default: Allow upload & download + CloudWatch: + default: CloudWatch metrics + GatewayBootstrapScript: + default: Gateways bootstrap script + ControlGatewayOverPrivateOrPublicAddress: + default: Gateways addresses + ManagementServer: + default: Management Server + ConfigurationTemplate: + default: Configuration template + ELBType: + default: Proxy type + ELBPort: + default: Proxy port + ELBClients: + default: Allowed proxy clients +Parameters: + AvailabilityZones: + Description: List of Availability Zones (AZs) to use for the subnets in the VPC. Select at least two. + Type: List + AllowedPattern: '.+' + NumberOfAZs: + Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter. + Type: Number + Default: 2 + AllowedValues: + - 2 + - 3 + - 4 + VPCCIDR: + Description: CIDR block for the VPC. + Type: String + Default: 10.0.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet1CIDR: + Description: CIDR block for public subnet 1 located in the 1st Availability Zone. + Type: String + Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet2CIDR: + Description: CIDR block for public subnet 2 located in the 2nd Availability Zone. + Type: String + Default: 10.0.20.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet3CIDR: + Description: CIDR block for public subnet 3 located in the 3rd Availability Zone. + Type: String + Default: 10.0.30.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet4CIDR: + Description: CIDR block for public subnet 4 located in the 4th Availability Zone. + Type: String + Default: 10.0.40.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnet1CIDR: + Description: CIDR block for private subnet 1 located in the 1st Availability Zone. + Type: String + Default: 10.0.11.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnet2CIDR: + Description: CIDR block for private subnet 2 located in the 2nd Availability Zone. + Type: String + Default: 10.0.21.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnet3CIDR: + Description: CIDR block for private subnet 3 located in the 3rd Availability Zone. + Type: String + Default: 10.0.31.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PrivateSubnet4CIDR: + Description: CIDR block for private subnet 4 located in the 4th Availability Zone. + Type: String + Default: 10.0.41.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + GatewayName: + Description: The name tag of the Security Gateway instances. (optional) + Type: String + Default: Check-Point-Gateway + GatewayInstanceType: + Description: The instance type of the Secutiry Gateways. + Type: String + Default: c6in.xlarge + AllowedValues: + - c4.large + - c4.xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + - r7a.xlarge + - r7a.2xlarge + - r7a.4xlarge + - r7a.8xlarge + - r7a.12xlarge + - r7a.16xlarge + - r7a.24xlarge + - r7a.32xlarge + - r7a.48xlarge + - c7i-flex.xlarge + - c7i-flex.2xlarge + - c7i-flex.4xlarge + - c7i-flex.8xlarge + - m7a.xlarge + - m7a.2xlarge + - m7a.4xlarge + - m7a.8xlarge + - m7a.12xlarge + - m7a.16xlarge + - m7a.24xlarge + - m7a.32xlarge + - m7a.48xlarge + - c7i.xlarge + - c7i.2xlarge + - c7i.4xlarge + - c7i.8xlarge + - c7i.12xlarge + - c7i.16xlarge + - c7i.24xlarge + - c7i.32xlarge + - c7i.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instances. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: Must be the name of an existing EC2 KeyPair. + VolumeSize: + Type: Number + Default: 100 + MinValue: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + EnableVolumeEncryption: + Description: Encrypt Auto Scaling instances volume with default AWS KMS key. + Type: String + Default: true + AllowedValues: + - true + - false + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + GatewaysMinSize: + Description: The minimal number of gateways in the Auto Scaling group. + Type: Number + Default: 2 + MinValue: 1 + GatewaysMaxSize: + Description: The maximal number of gateways in the Auto Scaling group. + Type: Number + Default: 10 + MinValue: 1 + AdminEmail: + Description: Notifications about scaling events will be sent to this email address. (optional) + Type: String + Default: '' + AllowedPattern: '^(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?))?$' + ConstraintDescription: Must be a valid email address. + GatewaysTargetGroups: + Description: A list of Target Groups to associate with the Auto Scaling. + group (comma separated list of ARNs, without spaces) (optional) + Type: String + Default: '' + GatewayVersion: + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.10-BYOL + - R81.10-PAYG-NGTP + - R81.10-PAYG-NGTX + - R81.20-BYOL + - R81.20-PAYG-NGTP + - R81.20-PAYG-NGTX + - R82-BYOL + - R82-PAYG-NGTP + - R82-PAYG-NGTX + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + GatewayPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD". + to get the PASSWORD's hash) (optional) + Type: String + Default: '' + AllowedPattern: '^[\$\./a-zA-Z0-9]*$' + NoEcho: true + GatewayMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + GatewaySICKey: + Description: The Secure Internal Communication key creates trusted connections. + between Check Point components. Choose a random string consisting of at least + 8 alphanumeric characters. + Type: String + AllowedPattern: '^[a-zA-Z0-9]{8,}$' + ConstraintDescription: At least 8 alpha numeric characters. + NoEcho: true + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Improve product experience by sending data to Check Point + Type: String + Default: true + AllowedValues: + - true + - false + CloudWatch: + Description: Report Check Point specific CloudWatch metrics. + Type: String + Default: false + AllowedValues: + - true + - false + GatewayBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + ControlGatewayOverPrivateOrPublicAddress: + Description: Determines if the gateways are provisioned using their private or public address. + Type: String + Default: private + AllowedValues: + - private + - public + ManagementServer: + Description: The name that represents the Security Management Server in the automatic provisioning configuration. + Type: String + Default: management-server + MinLength: 1 + ConfigurationTemplate: + Description: A name of a gateway configuration template in the automatic provisioning configuration. + Type: String + Default: ASG-configuration + MinLength: 1 + MaxLength: 30 + ELBType: + Type: String + Default: none + AllowedValues: + - none + - internal + - internet-facing + ELBPort: + Type: Number + Default: 8080 + ELBClients: + Type: String + Default: 0.0.0.0/0 + AllowedPattern: '^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})$' +Conditions: + ProvidedAdminEmail: !Not [!Equals [!Ref AdminEmail, '']] + ProvidedTargetGroups: !Not [!Equals [!Ref GatewaysTargetGroups, '']] + EnableCloudWatch: !Equals [!Ref CloudWatch, true] + CreateELB: !Not [!Equals [!Ref ELBType, none]] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] + 4AZs: !Equals [ !Ref NumberOfAZs, 4 ] + 3AZs: !Or [ !Equals [ !Ref NumberOfAZs, 3 ], !Condition 4AZs ] +Resources: + VPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: __URL__/utils/vpc.yaml + Parameters: + AvailabilityZones: !Join [ ',' , !Ref AvailabilityZones ] + NumberOfAZs: !Ref NumberOfAZs + VPCCIDR: !Ref VPCCIDR + PublicSubnet1CIDR: !Ref PublicSubnet1CIDR + PublicSubnet2CIDR: !Ref PublicSubnet2CIDR + PublicSubnet3CIDR: !Ref PublicSubnet3CIDR + PublicSubnet4CIDR: !Ref PublicSubnet4CIDR + PrivateSubnet1CIDR: !Ref PrivateSubnet1CIDR + PrivateSubnet2CIDR: !Ref PrivateSubnet2CIDR + PrivateSubnet3CIDR: !Ref PrivateSubnet3CIDR + PrivateSubnet4CIDR: !Ref PrivateSubnet4CIDR + ChkpGatewayRole: + Type: AWS::IAM::Role + Condition: EnableCloudWatch + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: + - ec2.amazonaws.com + Action: + - sts:AssumeRole + Path: / + CloudwatchPolicy: + Condition: EnableCloudWatch + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: __URL__/iam/cloudwatch-policy.yaml + Parameters: + PolicyName: ChkpGatewayPolicy + PolicyRole: !Ref ChkpGatewayRole + InstanceProfile: + Type: AWS::IAM::InstanceProfile + Condition: EnableCloudWatch + Properties: + Path: / + Roles: + - !Ref ChkpGatewayRole + AMI: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: __URL__/utils/amis.yaml + Parameters: + Version: !Join ['-', [!Ref GatewayVersion, GW]] + NotificationTopic: + Type: AWS::SNS::Topic + Condition: ProvidedAdminEmail + Properties: + Subscription: + - Endpoint: !Ref AdminEmail + Protocol: email + ElasticLoadBalancer: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Condition: CreateELB + Properties: + CrossZone: true + Listeners: + - LoadBalancerPort: !Ref ELBPort + InstancePort: !Ref ELBPort + Protocol: TCP + HealthCheck: + Target: !Join [':', [TCP, !Ref ELBPort]] + HealthyThreshold: 3 + UnhealthyThreshold: 5 + Interval: 30 + Timeout: 5 + Scheme: !Ref ELBType + Subnets: + - !GetAtt VPCStack.Outputs.PublicSubnet1ID + - !GetAtt VPCStack.Outputs.PublicSubnet2ID + - !If [3AZs, !GetAtt VPCStack.Outputs.PublicSubnet3ID, !Ref 'AWS::NoValue'] + - !If [4AZs, !GetAtt VPCStack.Outputs.PublicSubnet4ID, !Ref 'AWS::NoValue'] + Policies: + - PolicyName: EnableProxyProtocol + PolicyType: ProxyProtocolPolicyType + Attributes: + - Name: ProxyProtocol + Value: true + InstancePorts: + - !Ref ELBPort + SecurityGroups: + - !Ref ELBSecurityGroup + PermissiveSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + Tags: + - Key: Name + Value: !Join ['_', [!Ref 'AWS::StackName', PermissiveSecurityGroup]] + GroupDescription: Permissive security group. + VpcId: !GetAtt VPCStack.Outputs.VPCID + SecurityGroupIngress: + - IpProtocol: -1 + CidrIp: 0.0.0.0/0 + GatewayGroup: + Type: AWS::AutoScaling::AutoScalingGroup + DependsOn: GatewayLaunchTemplate + Properties: + VPCZoneIdentifier: + - !GetAtt VPCStack.Outputs.PublicSubnet1ID + - !GetAtt VPCStack.Outputs.PublicSubnet2ID + - !If [3AZs, !GetAtt VPCStack.Outputs.PublicSubnet3ID, !Ref 'AWS::NoValue'] + - !If [4AZs, !GetAtt VPCStack.Outputs.PublicSubnet4ID, !Ref 'AWS::NoValue'] + LaunchTemplate: + LaunchTemplateId: !Ref GatewayLaunchTemplate + Version: !GetAtt GatewayLaunchTemplate.LatestVersionNumber + MinSize: !Ref GatewaysMinSize + MaxSize: !Ref GatewaysMaxSize + LoadBalancerNames: !If [CreateELB, [!Ref ElasticLoadBalancer], !Ref 'AWS::NoValue'] + TargetGroupARNs: !If [ProvidedTargetGroups, !Split [',', !Ref GatewaysTargetGroups], !Ref 'AWS::NoValue'] + HealthCheckType: ELB + HealthCheckGracePeriod: 3600 + NotificationConfiguration: !If + - ProvidedAdminEmail + - TopicARN: !Ref NotificationTopic + NotificationTypes: + - autoscaling:EC2_INSTANCE_LAUNCH + - autoscaling:EC2_INSTANCE_LAUNCH_ERROR + - autoscaling:EC2_INSTANCE_TERMINATE + - autoscaling:EC2_INSTANCE_TERMINATE_ERROR + - !Ref 'AWS::NoValue' + Tags: + - Key: Name + Value: !Ref GatewayName + PropagateAtLaunch: true + - Key: x-chkp-tags + Value: !Join + - ':' + - - !Join ['=', [management, !Ref ManagementServer]] + - !Join ['=', [template, !Ref ConfigurationTemplate]] + - !Join ['=', [ip-address, !Ref ControlGatewayOverPrivateOrPublicAddress]] + PropagateAtLaunch: true + GatewayLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + NetworkInterfaces: + - DeviceIndex: 0 + AssociatePublicIpAddress: true + Groups: + - !Ref PermissiveSecurityGroup + Monitoring: + Enabled: true + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref GatewayInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !Ref EnableVolumeEncryption + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !If [EnableCloudWatch, !Ref InstanceProfile, !Ref 'AWS::NoValue'] + UserData: + 'Fn::Base64': + !Join + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; cw=${CloudWatch} ; eic=${EnableInstanceConnect}' + - !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref GatewaySICKey, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref GatewayMaintenancePasswordHash, ')"']] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref GatewayVersion]]}] + - ' python3 /etc/cloud_config.py enableCloudWatch=\"${cw}\" sicKey=\"${sic}\" installationType=\"autoscale\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"autoscale\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version + GatewayScaleUpPolicy: + Type: AWS::AutoScaling::ScalingPolicy + Properties: + AdjustmentType: ChangeInCapacity + AutoScalingGroupName: !Ref GatewayGroup + Cooldown: 300 + ScalingAdjustment: 1 + GatewayScaleDownPolicy: + Type: AWS::AutoScaling::ScalingPolicy + Properties: + AdjustmentType: ChangeInCapacity + AutoScalingGroupName: !Ref GatewayGroup + Cooldown: 300 + ScalingAdjustment: -1 + CPUAlarmHigh: + Type: AWS::CloudWatch::Alarm + Properties: + AlarmDescription: Scale-up if CPU > 80% for 10 minutes. + MetricName: CPUUtilization + Namespace: AWS/EC2 + Statistic: Average + Period: 300 + EvaluationPeriods: 2 + Threshold: 80 + AlarmActions: + - !Ref GatewayScaleUpPolicy + Dimensions: + - Name: AutoScalingGroupName + Value: !Ref GatewayGroup + ComparisonOperator: GreaterThanThreshold + CPUAlarmLow: + Type: AWS::CloudWatch::Alarm + Properties: + AlarmDescription: Scale-down if CPU < 60% for 10 minutes. + MetricName: CPUUtilization + Namespace: AWS/EC2 + Statistic: Average + Period: 300 + EvaluationPeriods: 2 + Threshold: 60 + AlarmActions: + - !Ref GatewayScaleDownPolicy + Dimensions: + - Name: AutoScalingGroupName + Value: !Ref GatewayGroup + ComparisonOperator: LessThanThreshold + ELBSecurityGroup: + Type: AWS::EC2::SecurityGroup + Condition: CreateELB + Properties: + GroupDescription: ELB security group. + VpcId: !GetAtt VPCStack.Outputs.VPCID + SecurityGroupIngress: + - IpProtocol: tcp + CidrIp: !Ref ELBClients + FromPort: !Ref ELBPort + ToPort: !Ref ELBPort +Outputs: + URL: + Description: The URL of the Proxy. + Condition: CreateELB + Value: !Join ['', ['http://', !GetAtt ElasticLoadBalancer.DNSName]] + SecurityGroup: + Description: The Security Group of the Auto Scaling group. + Value: !GetAtt PermissiveSecurityGroup.GroupId \ No newline at end of file diff --git a/aws/templates/asg/autoscale.yaml b/aws/templates/asg/autoscale.yaml index 3869e7c9..e8565dd8 100644 --- a/aws/templates/asg/autoscale.yaml +++ b/aws/templates/asg/autoscale.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Create an Auto Scaling group of Check Point gateways (20241027) +Description: Create an Auto Scaling group of Check Point gateways into an existing VPC (20241027) Metadata: AWS::CloudFormation::Interface: ParameterGroups: diff --git a/aws/templates/management/management-master.yaml b/aws/templates/management/management-master.yaml new file mode 100755 index 00000000..b5e76d0f --- /dev/null +++ b/aws/templates/management/management-master.yaml @@ -0,0 +1,641 @@ +AWSTemplateFormatVersion: 2010-09-09 +Description: Deploys a Check Point Management Server into a new VPC (__VERSION__) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - AvailabilityZone + - VPCCIDR + - PublicSubnet1CIDR + - Label: + default: EC2 Instance Configuration + Parameters: + - ManagementName + - ManagementInstanceType + - KeyName + - AllocatePublicAddress + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - TerminationProtection + - MetaDataToken + - Label: + default: IAM Permissions (ignored when the installation is not Primary Management + Server) + Parameters: + - ManagementPermissions + - ManagementPredefinedRole + - ManagementSTSRoles + - Label: + default: Check Point Settings + Parameters: + - ManagementVersion + - Shell + - ManagementPasswordHash + - ManagementMaintenancePasswordHash + - Label: + default: Security Management Server Settings + Parameters: + - ManagementHostname + - ManagementInstallationType + - SICKey + - AllowUploadDownload + - AdminCIDR + - GatewayManagement + - GatewaysAddresses + - ManagementBootstrapScript + - NTPPrimary + - NTPSecondary + ParameterLabels: + AvailabilityZone: + default: Availability zone + VPCCIDR: + default: VPC CIDR + PublicSubnet1CIDR: + default: Management subnet CIDR + ManagementName: + default: Management name + ManagementInstanceType: + default: Instance type + KeyName: + default: Key name + AllocatePublicAddress: + default: Allocate an Elastic IP + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + MetaDataToken: + default: Metadata HTTP token + ManagementPermissions: + default: IAM role + ManagementPredefinedRole: + default: Existing IAM role name + ManagementSTSRoles: + default: STS roles + ManagementVersion: + default: Version & license + Shell: + default: Admin shell + ManagementPasswordHash: + default: Password hash + ManagementMaintenancePasswordHash: + default: Management Maintenance Password hash + ManagementHostname: + default: Management hostname + ManagementInstallationType: + default: Management installation type + SICKey: + default: SIC key + AllowUploadDownload: + default: Allow upload & download + AdminCIDR: + default: Administrator addresses + GatewayManagement: + default: Gateways management + GatewaysAddresses: + default: Gateways addresses + ManagementBootstrapScript: + default: Management bootstrap script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server +Parameters: + AvailabilityZone: + Description: The availability zone in which to deploy the instance. + Type: AWS::EC2::AvailabilityZone::Name + MinLength: 1 + VPCCIDR: + Description: The CIDR block of the VPC. + Type: String + Default: 10.0.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet1CIDR: + Description: The CIDR block of the management subnet. + Type: String + Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + ManagementName: + Description: The Management name tag. + Type: String + Default: Check-Point-Management + ManagementInstanceType: + Description: The instance type of the Security Management Server. + Type: String + Default: m5.xlarge + AllowedValues: + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.large + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.large + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.large + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.large + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.large + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.large + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.large + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.large + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.large + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.large + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + - r7a.xlarge + - r7a.2xlarge + - r7a.4xlarge + - r7a.8xlarge + - r7a.12xlarge + - r7a.16xlarge + - r7a.24xlarge + - r7a.32xlarge + - r7a.48xlarge + - c7i-flex.xlarge + - c7i-flex.2xlarge + - c7i-flex.4xlarge + - c7i-flex.8xlarge + - m7a.xlarge + - m7a.2xlarge + - m7a.4xlarge + - m7a.8xlarge + - m7a.12xlarge + - m7a.16xlarge + - m7a.24xlarge + - m7a.32xlarge + - m7a.48xlarge + - c7i.xlarge + - c7i.2xlarge + - c7i.4xlarge + - c7i.8xlarge + - c7i.12xlarge + - c7i.16xlarge + - c7i.24xlarge + - c7i.32xlarge + - c7i.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: must be the name of an existing EC2 KeyPair. + AllocatePublicAddress: + Description: Allocate an elastic IP for the Management. + Type: String + Default: true + AllowedValues: + - true + - false + VolumeSize: + Type: Number + MinValue: 100 + Default: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + ManagementPermissions: + Description: IAM role to attach to the instance profile. + Type: String + Default: Create with read permissions + AllowedValues: + - None (configure later) + - Use existing (specify an existing IAM role name) + - Create with assume role permissions (specify an STS role ARN) + - Create with read permissions + - Create with read-write permissions + ManagementPredefinedRole: + Description: A predefined IAM role to attach to the instance profile. Ignored. + if IAM role is not set to 'Use existing' + Type: String + Default: '' + ManagementSTSRoles: + Description: The IAM role will be able to assume these STS Roles (comma separated + list of ARNs, without spaces). Ignored if IAM role is set to 'None' or 'Use + existing'. + Type: CommaDelimitedList + Default: '' + ManagementVersion: + Description: The license to install on the Security Management Server. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.10-BYOL + - R81.10-PAYG + - R81.20-BYOL + - R81.20-PAYG + - R82-BYOL + - R82-PAYG + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + ManagementPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" + to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + ManagementMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + ManagementHostname: + Description: The name must not contain reserved words. For details, refer to sk40179. (optional) + Type: String + Default: mgmt-aws + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' + ConstraintDescription: A valid hostname label or an empty string. + ManagementInstallationType: + Description: Determines the Management Server installation type. + Type: String + Default: Primary management + AllowedValues: + - Primary management + - Secondary management + - Log Server + SICKey: + Description: >- + Mandatory only if deploying a secondary Management Server or Log Server, the Secure Internal + Communication key creates trusted connections between Check Point components. + Choose a random string consisting of at least 8 alphanumeric characters. + Type: String + Default: '' + AllowedPattern: '(|[a-zA-Z0-9]{8,})' + ConstraintDescription: Can be empty if this is a primary Management Server. Otherwise, + at least 8 alpha numeric characters. + NoEcho: true + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + AdminCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate + with the Management Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Management + Server. + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + GatewayManagement: + Description: Select 'Over the internet' if any of the gateways you wish to manage + are not directly accessed via their private IP address. + Type: String + Default: Locally managed + AllowedValues: + - Locally managed + - Over the internet + ManagementBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '[\.a-zA-Z0-9\-]*' + NTPSecondary: + Description: (optional) + Type: String + Default: 0.pool.ntp.org + AllowedPattern: '[\.a-zA-Z0-9\-]*' +Conditions: + EIP: !Equals [!Ref AllocatePublicAddress, true] + ManageOverInternet: !Equals [!Ref GatewayManagement, Over the internet] + ManageOverInternetAndEIP: !And [!Condition EIP, !Condition ManageOverInternet] + CreateRole: !Or + - !Equals [!Ref ManagementPermissions, Create with assume role permissions (specify an STS role ARN)] + - !Equals [!Ref ManagementPermissions, Create with read permissions] + - !Equals [!Ref ManagementPermissions, Create with read-write permissions] + EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']] + UseRole: !Not [!Equals [!Ref ManagementPermissions, None (configure later)]] + NoSIC: !Equals [!Ref SICKey, ''] + PreRole: !And [!Condition UseRole, !Not [!Condition CreateRole]] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] +Resources: + VPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: __URL__/utils/vpc.yaml + Parameters: + AvailabilityZones: !Ref AvailabilityZone + NumberOfAZs: 1 + VPCCIDR: !Ref VPCCIDR + PublicSubnet1CIDR: !Ref PublicSubnet1CIDR + CreatePrivateSubnets: false + CreateAttachmentSubnets: false + AMI: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: __URL__/utils/amis.yaml + Parameters: + Version: !Join ['-', [!Ref ManagementVersion, MGMT]] + ManagementReadyHandle: + Type: AWS::CloudFormation::WaitConditionHandle + Condition: EIP + Properties: {} + ManagementReadyCondition: + Type: AWS::CloudFormation::WaitCondition + Condition: EIP + DependsOn: ManagementInstance + Properties: + Handle: !Ref ManagementReadyHandle + Timeout: 1800 + ManagementSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Management security group + VpcId: !GetAtt VPCStack.Outputs.VPCID + SecurityGroupIngress: + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 257 + ToPort: 257 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 8211 + ToPort: 8211 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18191 + ToPort: 18191 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18192 + ToPort: 18192 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18208 + ToPort: 18208 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18210 + ToPort: 18210 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18211 + ToPort: 18211 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18221 + ToPort: 18221 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18264 + ToPort: 18264 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 22 + ToPort: 22 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 443 + ToPort: 443 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 18190 + ToPort: 18190 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 19009 + ToPort: 19009 + ManagementRoleStack: + Type: AWS::CloudFormation::Stack + Condition: CreateRole + Properties: + TemplateURL: __URL__/iam/cme-iam-role.yaml + Parameters: + Permissions: !Ref ManagementPermissions + STSRoles: !Join [',', !Ref ManagementSTSRoles] + InstanceProfile: + Type: AWS::IAM::InstanceProfile + Condition: PreRole + Properties: + Path: / + Roles: + - !Ref ManagementPredefinedRole + ManagementInstance: + Type: AWS::EC2::Instance + DependsOn: ManagementLaunchTemplate + Properties: + LaunchTemplate: + LaunchTemplateId: !Ref ManagementLaunchTemplate + Version: !GetAtt ManagementLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection + Tags: + - Key: Name + Value: !Ref ManagementName + NetworkInterfaces: + - DeviceIndex: 0 + AssociatePublicIpAddress: false + Description: eth0 + GroupSet: + - !Ref ManagementSecurityGroup + DeleteOnTermination: true + SubnetId: !GetAtt VPCStack.Outputs.PublicSubnet1ID + ManagementLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref ManagementInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !If [ UseRole, !If [ PreRole, !Ref InstanceProfile, !GetAtt ManagementRoleStack.Outputs.CMEIAMRole ], !Ref 'AWS::NoValue' ] + UserData: + 'Fn::Base64': + !Join + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${ManagementHostname} ; eic=${EnableInstanceConnect} ; admin_subnet=${AdminCIDR} ; eip=${AllocatePublicAddress} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; mgmt_install_type=''${ManagementInstallationType}''' + - !If [EIP, !Sub ' wait_handle=''${ManagementReadyHandle}''',!Ref 'AWS::NoValue'] + - !If [NoSIC, ' sic=""', !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref SICKey, ')"']]] + - !If [ManageOverInternetAndEIP, ' pub_mgmt=true', ' pub_mgmt=false'] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref ManagementBootstrapScript, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref ManagementMaintenancePasswordHash, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref ManagementVersion]]}] + - ' python3 /etc/cloud_config.py waitHandle=\"${wait_handle}\" sicKey=\"${sic}\" installationType=\"management\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"management\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" "management_installation_type=\"${mgmt_install_type}\"" adminSubnet=\"${admin_subnet}\" allocatePublicAddress=\"${eip}\" overTheInternet=\"${pub_mgmt}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version + PublicAddress: + Type: AWS::EC2::EIP + Condition: EIP + Properties: + Domain: vpc + AddressAssoc: + Type: AWS::EC2::EIPAssociation + Condition: EIP + DependsOn: ManagementInstance + Properties: + InstanceId: !Ref ManagementInstance + AllocationId: !GetAtt PublicAddress.AllocationId +Outputs: + PublicAddress: + Condition: EIP + Description: The public address of the Management Server. + Value: !Ref PublicAddress + SSH: + Condition: EIP + Description: SSH command. + Value: !Join ['', ['ssh -i ', !Ref KeyName, ' admin@', !Ref PublicAddress]] + URL: + Condition: EIP + Description: URL to the portal. + Value: !Join ['', ['https://', !Ref PublicAddress]] diff --git a/aws/templates/management/management.yaml b/aws/templates/management/management.yaml index 2ce992da..0a09fab0 100755 --- a/aws/templates/management/management.yaml +++ b/aws/templates/management/management.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: 2010-09-09 -Description: Deploys a Check Point Management Server (20241027) +Description: Deploys a Check Point Management Server into an existing VPC (20241027) Metadata: AWS::CloudFormation::Interface: ParameterGroups: diff --git a/aws/templates/mds/mds-master.yaml b/aws/templates/mds/mds-master.yaml new file mode 100755 index 00000000..ac2cd876 --- /dev/null +++ b/aws/templates/mds/mds-master.yaml @@ -0,0 +1,570 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: Deploys a Check Point Multi-Domain Server into a new VPC (__VERSION__) +Metadata: + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: VPC Network Configuration + Parameters: + - AvailabilityZone + - VPCCIDR + - PublicSubnet1CIDR + - Label: + default: EC2 Instance Configuration + Parameters: + - MDSName + - MDSInstanceType + - KeyName + - VolumeSize + - VolumeType + - VolumeEncryption + - EnableInstanceConnect + - TerminationProtection + - MetaDataToken + - Label: + default: IAM Permissions (ignored when the installation type is not Primary + Multi-Domain Server) + Parameters: + - MDSPermissions + - MDSPredefinedRole + - MDSSTSRoles + - Label: + default: Check Point Settings + Parameters: + - MDSVersion + - Shell + - MDSPasswordHash + - MDSMaintenancePasswordHash + - Label: + default: Multi-Domain Server Settings + Parameters: + - MDSHostname + - MDSInstallationType + - MDSSICKey + - AllowUploadDownload + - AdminCIDR + - GatewaysAddresses + - MDSBootstrapScript + - NTPPrimary + - NTPSecondary + ParameterLabels: + AvailabilityZone: + default: Availability zone + VPCCIDR: + default: VPC CIDR + PublicSubnet1CIDR: + default: MDS subnet CIDR + MDSName: + default: MDS name + MDSInstanceType: + default: Instance type + KeyName: + default: Key name + VolumeSize: + default: Root volume size (GB) + VolumeType: + default: Volume Type + VolumeEncryption: + default: Volume encryption KMS key identifier + EnableInstanceConnect: + default: Enable AWS Instance Connect + TerminationProtection: + default: Termination Protection + MetaDataToken: + default: Metadata HTTP token + MDSPermissions: + default: IAM role + MDSPredefinedRole: + default: Existing IAM role name + MDSSTSRoles: + default: STS roles + MDSVersion: + default: Version & license + Shell: + default: Admin shell + MDSPasswordHash: + default: Password hash + MDSMaintenancePasswordHash: + default: MDS Maintenance Password hash + MDSHostname: + default: MDS hostname + MDSInstallationType: + default: MDS installation type + MDSSICKey: + default: SIC key + AllowUploadDownload: + default: Allow upload & download + AdminCIDR: + default: Administrator addresses + GatewaysAddresses: + default: Gateways addresses + MDSBootstrapScript: + default: MDS Bootstrap script + NTPPrimary: + default: Primary NTP server + NTPSecondary: + default: Secondary NTP server +Parameters: + AvailabilityZone: + Description: The availability zone in which to deploy the instance. + Type: AWS::EC2::AvailabilityZone::Name + MinLength: 1 + VPCCIDR: + Description: The CIDR block of the VPC. + Type: String + Default: 10.0.0.0/16 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + PublicSubnet1CIDR: + Description: The CIDR block of the management subnet. + Type: String + Default: 10.0.10.0/24 + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' + ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28. + MDSName: + Description: The MDS name tag. + Type: String + Default: Check-Point-MDS + MDSInstanceType: + Description: The instance type of the Multi-Domain Server. + Type: String + Default: m5.2xlarge + AllowedValues: + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.12xlarge + - c5.18xlarge + - c5.24xlarge + - c5n.xlarge + - c5n.2xlarge + - c5n.4xlarge + - c5n.9xlarge + - c5n.18xlarge + - c5d.xlarge + - c5d.2xlarge + - c5d.4xlarge + - c5d.9xlarge + - c5d.12xlarge + - c5d.18xlarge + - c5d.24xlarge + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.8xlarge + - m5.12xlarge + - m5.16xlarge + - m5.24xlarge + - m6i.xlarge + - m6i.2xlarge + - m6i.4xlarge + - m6i.8xlarge + - m6i.12xlarge + - m6i.16xlarge + - m6i.24xlarge + - m6i.32xlarge + - c6i.xlarge + - c6i.2xlarge + - c6i.4xlarge + - c6i.8xlarge + - c6i.12xlarge + - c6i.16xlarge + - c6i.24xlarge + - c6i.32xlarge + - c6in.xlarge + - c6in.2xlarge + - c6in.4xlarge + - c6in.8xlarge + - c6in.12xlarge + - c6in.16xlarge + - c6in.24xlarge + - c6in.32xlarge + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.8xlarge + - r5.12xlarge + - r5.16xlarge + - r5.24xlarge + - r5a.xlarge + - r5a.2xlarge + - r5a.4xlarge + - r5a.8xlarge + - r5a.12xlarge + - r5a.16xlarge + - r5a.24xlarge + - r5b.xlarge + - r5b.2xlarge + - r5b.4xlarge + - r5b.8xlarge + - r5b.12xlarge + - r5b.16xlarge + - r5b.24xlarge + - r5n.xlarge + - r5n.2xlarge + - r5n.4xlarge + - r5n.8xlarge + - r5n.12xlarge + - r5n.16xlarge + - r5n.24xlarge + - r6i.xlarge + - r6i.2xlarge + - r6i.4xlarge + - r6i.8xlarge + - r6i.12xlarge + - r6i.16xlarge + - r6i.24xlarge + - r6i.32xlarge + - m6a.xlarge + - m6a.2xlarge + - m6a.4xlarge + - m6a.8xlarge + - m6a.12xlarge + - m6a.16xlarge + - m6a.24xlarge + - m6a.32xlarge + - m6a.48xlarge + - r7a.xlarge + - r7a.2xlarge + - r7a.4xlarge + - r7a.8xlarge + - r7a.12xlarge + - r7a.16xlarge + - r7a.24xlarge + - r7a.32xlarge + - r7a.48xlarge + - c7i-flex.xlarge + - c7i-flex.2xlarge + - c7i-flex.4xlarge + - c7i-flex.8xlarge + - m7a.xlarge + - m7a.2xlarge + - m7a.4xlarge + - m7a.8xlarge + - m7a.12xlarge + - m7a.16xlarge + - m7a.24xlarge + - m7a.32xlarge + - m7a.48xlarge + - c7i.xlarge + - c7i.2xlarge + - c7i.4xlarge + - c7i.8xlarge + - c7i.12xlarge + - c7i.16xlarge + - c7i.24xlarge + - c7i.32xlarge + - c7i.48xlarge + ConstraintDescription: must be a valid EC2 instance type. + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance. + Type: AWS::EC2::KeyPair::KeyName + MinLength: 1 + ConstraintDescription: must be the name of an existing EC2 KeyPair. + VolumeSize: + Type: Number + MinValue: 100 + Default: 100 + VolumeType: + Description: General Purpose SSD Volume Type + Type: String + Default: gp3 + AllowedValues: + - gp3 + - gp2 + VolumeEncryption: + Description: KMS or CMK key Identifier - Use key ID, alias or ARN. Key alias should be prefixed with 'alias/' (e.g. for KMS default alias 'aws/ebs' - insert 'alias/aws/ebs'). + Type: String + Default: alias/aws/ebs + EnableInstanceConnect: + Description: Enable SSH connection over AWS web console. + Type: String + Default: false + AllowedValues: + - true + - false + TerminationProtection: + Description: Prevents an instance from accidental termination. + Type: String + Default: false + AllowedValues: + - true + - false + MetaDataToken: + Description: Set true to deploy the instance with metadata v2 token required. + Type: String + Default: true + AllowedValues: + - true + - false + MDSPermissions: + Description: IAM role to attach to the instance profile. + Type: String + Default: Create with read permissions + AllowedValues: + - None (configure later) + - Use existing (specify an existing IAM role name) + - Create with assume role permissions (specify an STS role ARN) + - Create with read permissions + - Create with read-write permissions + MDSPredefinedRole: + Description: A predefined IAM role to attach to the instance profile. Ignored + if IAM role is not set to 'Use existing'. + Type: String + Default: '' + MDSSTSRoles: + Description: The IAM role will be able to assume these STS Roles (comma separated + list of ARNs, without spaces). Ignored if IAM role is set to 'None' or 'Use + existing'. + Type: CommaDelimitedList + Default: '' + MDSVersion: + Description: The license to install on the Multi-Domain Server. + Type: String + Default: R81.20-BYOL + AllowedValues: + - R81.10-BYOL + - R81.20-BYOL + - R82-BYOL + Shell: + Description: Change the admin shell to enable advanced command line configuration. + Type: String + Default: /etc/cli.sh + AllowedValues: + - /etc/cli.sh + - /bin/bash + - /bin/csh + - /bin/tcsh + MDSPasswordHash: + Description: Admin user's password hash (use command "openssl passwd -6 PASSWORD" + to get the PASSWORD's hash). (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + MDSMaintenancePasswordHash: + Description: Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes (use command " grub2-mkpasswd-pbkdf2" to get the PASSWORD's hash). For R81.10 and below the Admin user's password is used also as maintenance-mode password. (optional) + Type: String + Default: '' + AllowedPattern: '[\$\./a-zA-Z0-9]*' + NoEcho: true + MDSHostname: + Description: The name must not contain reserved words. For details, refer to sk40179. (optional) + Type: String + Default: mds-aws + AllowedPattern: '^([A-Za-z]([-0-9A-Za-z]{0,61}[0-9A-Za-z])?|)$' + ConstraintDescription: A valid hostname label or an empty string. + MDSInstallationType: + Description: Determines the Multi-Domain Server installation type. + Type: String + Default: Primary Multi-Domain Server + AllowedValues: + - Primary Multi-Domain Server + - Secondary Multi-Domain Server + - Multi-Domain Log Server + MDSSICKey: + Description: >- + Mandatory if deploying a Secondary Multi-Domain Server or Multi-Domain Log Server, + the Secure Internal Communication key creates trusted connections between Check + Point components. Choose a random string consisting of at least 8 alphanumeric + characters. + Type: String + Default: '' + AllowedPattern: '(|[a-zA-Z0-9]{8,})' + ConstraintDescription: Can be empty if this is a Primary Multi-Domain Server. + Otherwise, at least 8 alpha numeric characters. + NoEcho: true + AllowUploadDownload: + Description: Automatically download updates and share statistical data for product improvement purpose. + Type: String + Default: true + AllowedValues: + - true + - false + AdminCIDR: + Description: Allow web, SSH, and graphical clients only from this network to communicate + with the Multi-Domain Server. The address should be either 0.0.0.0/0 (any address) or /32 (specific address) + Type: String + AllowedPattern: '^((0.0.0.0\/0)|)$|^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/32)$' + ConstraintDescription: Administrator address must be either 0.0.0.0/0 or /32 + GatewaysAddresses: + Description: Allow gateways only from this network to communicate with the Multi-Domain. + Server + Type: String + AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$' + MDSBootstrapScript: + Description: An optional script with semicolon (;) separated commands to run on the initial boot. (optional) + Type: String + Default: '' + NoEcho: true + NTPPrimary: + Description: (optional) + Type: String + Default: 169.254.169.123 + AllowedPattern: '[\.a-zA-Z0-9\-]*' + NTPSecondary: + Description: (optional) + Type: String + Default: '0.pool.ntp.org' + AllowedPattern: '[\.a-zA-Z0-9\-]*' +Conditions: + EncryptedVolume: !Not [!Equals [!Ref VolumeEncryption, '']] + CreateRole: !And + - !Or + - !Condition PrimaryMDS + - !Condition SecondaryMDS + - !Or + - !Equals [!Ref MDSPermissions, Create with assume role permissions (specify an STS role ARN)] + - !Equals [!Ref MDSPermissions, Create with read permissions] + - !Equals [!Ref MDSPermissions, Create with read-write permissions] + UseRole: !And [!Or [!Condition PrimaryMDS, !Condition SecondaryMDS], !Not [!Equals [!Ref MDSPermissions, None (configure later)]]] + PrimaryMDS: !Equals [!Ref MDSInstallationType, Primary Multi-Domain Server] + SecondaryMDS: !Equals [!Ref MDSInstallationType, Secondary Multi-Domain Server] + PreRole: !And [!Condition UseRole, !Not [!Condition CreateRole]] + EnableMetaDataToken: !Equals [!Ref MetaDataToken, true] +Resources: + VPCStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: __URL__/utils/vpc.yaml + Parameters: + AvailabilityZones: !Ref AvailabilityZone + NumberOfAZs: 1 + VPCCIDR: !Ref VPCCIDR + PublicSubnet1CIDR: !Ref PublicSubnet1CIDR + CreatePrivateSubnets: false + CreateAttachmentSubnets: false + AMI: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: __URL__/utils/amis.yaml + Parameters: + Version: !Join ['-', [!Ref MDSVersion, MGMT]] + MDSSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: MDS security group + VpcId: !GetAtt VPCStack.Outputs.VPCID + SecurityGroupIngress: + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 257 + ToPort: 257 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 8211 + ToPort: 8211 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18191 + ToPort: 18191 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18192 + ToPort: 18192 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18208 + ToPort: 18208 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18210 + ToPort: 18210 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18211 + ToPort: 18211 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18221 + ToPort: 18221 + - CidrIp: !Ref GatewaysAddresses + IpProtocol: tcp + FromPort: 18264 + ToPort: 18264 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 22 + ToPort: 22 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 443 + ToPort: 443 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 18190 + ToPort: 18190 + - CidrIp: !Ref AdminCIDR + IpProtocol: tcp + FromPort: 19009 + ToPort: 19009 + MDSRoleStack: + Type: AWS::CloudFormation::Stack + Condition: CreateRole + Properties: + TemplateURL: __URL__/iam/cme-iam-role.yaml + Parameters: + Permissions: !Ref MDSPermissions + STSRoles: !Join [',', !Ref MDSSTSRoles] + InstanceProfile: + Type: AWS::IAM::InstanceProfile + Condition: PreRole + Properties: + Path: / + Roles: + - !Ref MDSPredefinedRole + MDSInstance: + Type: AWS::EC2::Instance + DependsOn: [MDSSecurityGroup, MDSLaunchTemplate] + Properties: + LaunchTemplate: + LaunchTemplateId: !Ref MDSLaunchTemplate + Version: !GetAtt MDSLaunchTemplate.LatestVersionNumber + DisableApiTermination: !Ref TerminationProtection + Tags: + - Key: Name + Value: !Ref MDSName + NetworkInterfaces: + - DeviceIndex: 0 + AssociatePublicIpAddress: false + Description: eth0 + GroupSet: + - !Ref MDSSecurityGroup + DeleteOnTermination: true + SubnetId: !GetAtt VPCStack.Outputs.PublicSubnet1ID + MDSLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateData: + KeyName: !Ref KeyName + ImageId: !GetAtt AMI.Outputs.ImageId + InstanceType: !Ref MDSInstanceType + MetadataOptions: + HttpTokens: !If [EnableMetaDataToken, required, optional] + BlockDeviceMappings: + - DeviceName: '/dev/xvda' + Ebs: + Encrypted: !If [ EncryptedVolume, true, false ] + KmsKeyId: !If [ EncryptedVolume, !Ref VolumeEncryption, !Ref 'AWS::NoValue' ] + VolumeType: !Ref VolumeType + VolumeSize: !Ref VolumeSize + IamInstanceProfile: + Name: !If [ UseRole, !If [ PreRole, !Ref InstanceProfile, !GetAtt MDSRoleStack.Outputs.CMEIAMRole ], !Ref 'AWS::NoValue' ] + UserData: !Base64 + Fn::Join: + - |+ + + - - '#cloud-config' + - 'runcmd:' + - ' - |' + - ' set -e' + - !Sub ' admin_shell=${Shell} ; allow_info=${AllowUploadDownload} ; hostname=${MDSHostname} ; eic=${EnableInstanceConnect} ; ntp1=${NTPPrimary} ; ntp2=${NTPSecondary} ; admin_subnet=${AdminCIDR}' + - !If [PrimaryMDS, ' primary=true ; secondary=false', !If [SecondaryMDS, ' primary=false ; secondary=true', ' primary=false ; secondary=false']] + - !If [PrimaryMDS, ' sic=notused', !Join ['', [' sic="$(echo ', 'Fn::Base64': !Ref MDSSICKey, ')"']]] + - !Join ['', [' bootstrap="$(echo ', 'Fn::Base64': !Ref MDSBootstrapScript, ')"']] + - !Join ['', [' pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSPasswordHash, ')"']] + - !Join ['', [' maintenance_pwd_hash="$(echo ', 'Fn::Base64': !Ref MDSMaintenancePasswordHash, ')"']] + - !Sub [' version=${Version}', {Version: !Select [0, !Split ['-', !Ref MDSVersion]]}] + - ' python3 /etc/cloud_config.py sicKey=\"${sic}\" installationType=\"mds\" osVersion=\"${version}\" allowUploadDownload=\"${allow_info}\" templateVersion=\"__VERSION__\" templateName=\"mds\" shell=\"${admin_shell}\" enableInstanceConnect=\"${eic}\" hostName=\"${hostname}\" ntpPrimary=\"${ntp1}\" ntpSecondary=\"${ntp2}\" passwordHash=\"${pwd_hash}\" MaintenanceModePassword=\"${maintenance_pwd_hash}\" primary=\"${primary}\" secondary=\"${secondary}\" adminSubnet=\"${admin_subnet}\" bootstrapScript64=\"${bootstrap}\"' + VersionDescription: Initial template version \ No newline at end of file diff --git a/aws/templates/mds/mds.yaml b/aws/templates/mds/mds.yaml index 5f81a260..28030cec 100644 --- a/aws/templates/mds/mds.yaml +++ b/aws/templates/mds/mds.yaml @@ -1,5 +1,5 @@ AWSTemplateFormatVersion: '2010-09-09' -Description: Deploys a Check Point Multi-Domain Server (20241027) +Description: Deploys a Check Point Multi-Domain Server into an existing VPC (20241027) Metadata: AWS::CloudFormation::Interface: ParameterGroups: