From 714c594eafbb854d522e6abed7feb242b3ee116c Mon Sep 17 00:00:00 2001 From: avivm Date: Mon, 13 Jan 2025 11:52:35 +0000 Subject: [PATCH 1/5] Add new file --- .gitlab-ci.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 .gitlab-ci.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..e69de29 From 2b5a5dbce303ed04ba6a57ea256da8acdd65025d Mon Sep 17 00:00:00 2001 From: avivm Date: Mon, 13 Jan 2025 11:53:34 +0000 Subject: [PATCH 2/5] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index c5479eb..510396a 100755 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ ![GitHub Wachers](https://img.shields.io/github/watchers/CheckPointSW/terraform-azure-cloudguard-network-security) ![GitHub Release](https://img.shields.io/github/v/release/CheckPointSW/terraform-azure-cloudguard-network-security) -![GitHub Commits Since Last Commit](https://img.shields.io/github/commits-since/CheckPointSW/terraform-azure-cloudguard-network-security/latest/main) -![GitHub Last Commit](https://img.shields.io/github/last-commit/CheckPointSW/terraform-azure-cloudguard-network-security/main) +![GitHub Commits Since Last Commit](https://img.shields.io/github/commits-since/CheckPointSW/terraform-azure-cloudguard-network-security/latest/master) +![GitHub Last Commit](https://img.shields.io/github/last-commit/CheckPointSW/terraform-azure-cloudguard-network-security/master) ![GitHub Repo Size](https://img.shields.io/github/repo-size/CheckPointSW/terraform-azure-cloudguard-network-security) ![GitHub Downloads](https://img.shields.io/github/downloads/CheckPointSW/terraform-azure-cloudguard-network-security/total) From 9e425792a8a41a63c3a1c98a59c7e177e9f2b8b4 Mon Sep 17 00:00:00 2001 From: guybarak Date: Tue, 14 Jan 2025 10:16:16 +0000 Subject: [PATCH 3/5] Adding internal submodules: common, nsg and vnet --- modules/common/main.tf | 5 + modules/common/outputs.tf | 130 +++++++ modules/common/variables.tf | 368 ++++++++++++++++++++ modules/common/versions.tf | 3 + modules/network_security_group/main.tf | 23 ++ modules/network_security_group/output.tf | 7 + modules/network_security_group/variables.tf | 43 +++ modules/network_security_group/versions.tf | 3 + modules/vnet/main.tf | 83 +++++ modules/vnet/outputs.tf | 27 ++ modules/vnet/variables.tf | 63 ++++ modules/vnet/versions.tf | 3 + 12 files changed, 758 insertions(+) create mode 100755 modules/common/main.tf create mode 100755 modules/common/outputs.tf create mode 100755 modules/common/variables.tf create mode 100755 modules/common/versions.tf create mode 100755 modules/network_security_group/main.tf create mode 100755 modules/network_security_group/output.tf create mode 100755 modules/network_security_group/variables.tf create mode 100755 modules/network_security_group/versions.tf create mode 100755 modules/vnet/main.tf create mode 100755 modules/vnet/outputs.tf create mode 100755 modules/vnet/variables.tf create mode 100755 modules/vnet/versions.tf diff --git a/modules/common/main.tf b/modules/common/main.tf new file mode 100755 index 0000000..08bc5f9 --- /dev/null +++ b/modules/common/main.tf @@ -0,0 +1,5 @@ +resource "azurerm_resource_group" "resource_group" { + name = var.resource_group_name + location = var.location +} + diff --git a/modules/common/outputs.tf b/modules/common/outputs.tf new file mode 100755 index 0000000..1d4ad2b --- /dev/null +++ b/modules/common/outputs.tf @@ -0,0 +1,130 @@ +output "resource_group_name" { + value = azurerm_resource_group.resource_group.name +} + +output "resource_group_id" { + value = azurerm_resource_group.resource_group.id +} + +output "resource_group_location" { + value = azurerm_resource_group.resource_group.location +} + +output "azurerm_resource_group_id" { + value = azurerm_resource_group.resource_group.id +} + +output "admin_username" { + value = var.admin_username +} + +output "admin_password"{ + value = var.admin_password +} + +output "vm_instance_identity" { + value = var.vm_instance_identity_type +} + +output "template_name"{ + value = var.template_name +} + +output "template_version" { + value = var.template_version +} + +output "bootstrap_script"{ + value = var.bootstrap_script +} + +output "os_version" { + value = var.os_version +} + +output "installation_type" { + value = var.installation_type +} + +output "number_of_vm_instances" { + value = var.number_of_vm_instances +} + +output "allow_upload_download" { + value = var.allow_upload_download +} + +output "is_blink" { + value = var.is_blink +} + +output "vm_size" { + value = var.vm_size +} + +output "delete_os_disk_on_termination" { + value = var.delete_os_disk_on_termination +} + +output "vm_os_offer" { + value = var.vm_os_offer +} + +output "vm_os_sku" { + value = var.vm_os_sku +} + +output "vm_os_version" { + value = var.vm_os_version +} + +output "storage_account_type" { + value = var.storage_account_type +} + +output "storage_account_tier" { + value = var.storage_account_tier +} + +output "account_replication_type" { + value = var.account_replication_type +} + +output "disk_size" { + value = var.disk_size +} + +output "publisher" { + value = var.publisher +} + +output "storage_os_disk_create_option" { + value = var.storage_os_disk_create_option +} + +output "storage_os_disk_caching" { + value = var.storage_os_disk_caching +} + +output "managed_disk_type" { + value = var.managed_disk_type +} + +output "authentication_type" { + value = var.authentication_type +} + +output "tags" { + value = var.tags +} + +output "boot_diagnostics" { + value = var.boot_diagnostics +} + +output "storage_account_ip_rules" { + value = local.storage_account_ip_rules +} +output "role_definition" { + value = var.role_definition +} \ No newline at end of file diff --git a/modules/common/variables.tf b/modules/common/variables.tf new file mode 100755 index 0000000..7394419 --- /dev/null +++ b/modules/common/variables.tf @@ -0,0 +1,368 @@ +//************** Basic config variables**************// +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "resource_group_id" { + description = "Azure Resource Group ID to use." + type = string + default = "" +} + +variable "location" { + description = "The location/region where resources will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" + type = string +} +//************** Virtual machine instance variables ************** +variable "admin_username" { + description = "Administrator username of deployed VM. Due to Azure limitations 'notused' name can be used" + type = string + default = "notused" +} + +variable "admin_password" { + description = "Administrator password of deployed Virtual Machine. The password must meet the complexity requirements of Azure" + type = string +} + +variable "serial_console_password_hash" { + description = "Optional parameter, used to enable serial console connection in case of SSH key as authentication type" + type = string +} + +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string +} + +variable "tags" { + type = map(string) + description = "A map of the tags to use on the resources that are deployed with this module." + default = {} +} + +variable "boot_diagnostics" { + type = bool + description = "Enable or Disable boot diagnostics" + default = true +} + +variable "storage_account_additional_ips" { + type = list(string) + description = "IPs/CIDRs that are allowed access to the Storage Account" + default = [] + validation { + condition = !contains(var.storage_account_additional_ips, "0.0.0.0") && can([for ip in var.storage_account_additional_ips: regex("^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$", ip)]) + error_message = "Invalid IPv4 address." + } +} +locals { + serial_console_ips_per_location = { + "eastasia" : ["20.205.69.28", "20.195.85.180"], + "southeastasia" : ["20.205.69.28", "20.195.85.180"], + "australiacentral" : ["20.53.53.224", "20.70.222.112"], + "australiacentral2" : ["20.53.53.224", "20.70.222.112"], + "australiaeast" : ["20.53.53.224", "20.70.222.112"], + "australiasoutheast" : ["20.53.53.224", "20.70.222.112"], + "brazilsouth" : ["91.234.136.63", "20.206.0.194"], + "brazilsoutheast" : ["91.234.136.63", "20.206.0.194"], + "canadacentral" : ["52.228.86.177", "52.242.40.90"], + "canadaeast" : ["52.228.86.177", "52.242.40.90"], + "northeurope" : ["52.146.139.220", "20.105.209.72"], + "westeurope" : ["52.146.139.220", "20.105.209.72"], + "francecentral" : ["20.111.0.244", "52.136.191.10"], + "francesouth" : ["20.111.0.244", "52.136.191.10"], + "germanynorth" : ["51.116.75.88", "20.52.95.48"], + "germanywestcentral" : ["51.116.75.88", "20.52.95.48"], + "centralindia" : ["20.192.168.150", "20.192.153.104"], + "southindia" : ["20.192.168.150", "20.192.153.104"], + "westindia" : ["20.192.168.150", "20.192.153.104"], + "japaneast" : ["20.43.70.205", "20.189.228.222"], + "japanwest" : ["20.43.70.205", "20.189.228.222"], + "koreacentral" : ["20.200.196.96", "52.147.119.29"], + "koreasouth" : ["20.200.196.96", "52.147.119.29"], + "norwaywest" : ["20.100.1.184", "51.13.138.76"], + "norwayeast" : ["20.100.1.184", "51.13.138.76"], + "switzerlandnorth" : ["20.208.4.98", "51.107.251.190"], + "switzerlandwest" : ["20.208.4.98", "51.107.251.190"], + "uaecentral" : ["20.45.95.66", "20.38.141.5"], + "uaenorth" : ["20.45.95.66", "20.38.141.5"], + "uksouth" : ["20.90.132.144", "20.58.68.62"], + "ukwest" : ["20.90.132.144", "20.58.68.62"], + "swedencentral" : ["51.12.72.223", "51.12.22.174"], + "swedensouth" : ["51.12.72.223", "51.12.22.174"], + "centralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "northcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "southcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus2" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus3" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westcentralus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "westus" : ["20.98.146.84", "20.98.194.64", "20.69.5.162", "20.83.222.102"], + "eastus2euap" : ["20.45.242.18", "20.51.21.252"], + "centraluseuap" : ["20.45.242.18", "20.51.21.252"] + } + serial_console_ips = contains(keys(local.serial_console_ips_per_location),var.location) ? local.serial_console_ips_per_location[var.location] : [] + storage_account_ip_rules = concat(local.serial_console_ips, var.storage_account_additional_ips) +} +variable "vm_instance_identity_type" { + description = "Managed Service Identity type" + type = string + default = "SystemAssigned" +} + +variable "template_name"{ + description = "Template name. Should be defined according to deployment type(ha, vmss)" + type = string +} + +variable "template_version"{ + description = "Template name. Should be defined according to deployment type(e.g. ha, vmss)" + type = string +} + +variable "bootstrap_script" { + description = "An optional script to run on the initial boot" + type = string + default = "" +} + +variable "os_version"{ + description = "GAIA OS version" + type = string +} + +locals { // locals for 'os_version' allowed values + os_version_allowed_values = [ + "R8110", + "R8120", + "R82" + ] + // will fail if [var.installation_type] is invalid: + validate_os_version_value = index(local.os_version_allowed_values, var.os_version) +} + +variable "installation_type"{ + description = "Installation type. Allowed values: cluster, vmss" + type = string +} + +locals { // locals for 'installation_type' allowed values + installation_type_allowed_values = [ + "cluster", + "vmss", + "management", + "standalone", + "gateway", + "mds-primary", + "mds-secondary", + "mds-logserver" + ] + // will fail if [var.installation_type] is invalid: + validate_installation_type_value = index(local.installation_type_allowed_values, var.installation_type) +} + +variable "number_of_vm_instances"{ + description = "Number of VM instances to deploy" + type = string +} + +variable "allow_upload_download" { + description = "Allow upload/download to Check Point" + type = bool +} + +variable "is_blink" { + description = "Define if blink image is used for deployment" +} + +variable "vm_size" { + description = "Specifies size of Virtual Machine" + type = string +} + +locals {// locals for 'vm_size' allowed values + allowed_vm_sizes = ["Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", + "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", + "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", + "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", + "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", + "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", + "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", + "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", + "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", + "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", + "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", + "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", + "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", + "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", + "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" + ] + // will fail if [var.vm_size] is invalid: + validate_vm_size_value = index(local.allowed_vm_sizes, var.vm_size) +} +variable "delete_os_disk_on_termination" { + type = bool + description = "Delete datadisk when VM is terminated" + default = true +} + +variable "publisher" { + description = "CheckPoint publisher" + default = "checkpoint" +} + +//************** Storage image reference and plan variables ****************// +variable "vm_os_offer" { + description = "The name of the image offer to be deployed.Choose from: check-point-cg-r81, check-point-cg-r8110, check-point-cg-r8120, check-point-cg-r82" + type = string +} + +locals { // locals for 'vm_os_offer' allowed values + vm_os_offer_allowed_values = [ + "check-point-cg-r81", + "check-point-cg-r8110", + "check-point-cg-r8120", + "check-point-cg-r82" + ] + // will fail if [var.vm_os_offer] is invalid: + validate_os_offer_value = index(local.vm_os_offer_allowed_values, var.vm_os_offer) + validate_os_version_match = regex(split("-", var.vm_os_offer)[3], lower(var.os_version)) +} + +variable "vm_os_sku" { + /* + Choose from: + - "sg-byol" + - "sg-ngtp" (for R81 and above) + - "sg-ngtx" (for R81 and above) + - "mgmt-byol" + - "mgmt-25" + */ + description = "The sku of the image to be deployed" + type = string +} + +locals { // locals for 'vm_os_sku' allowed values + vm_os_sku_allowed_values = [ + "sg-byol", + "sg-ngtp", + "sg-ngtx", + "mgmt-byol", + "mgmt-25" + ] + // will fail if [var.vm_os_sku] is invalid: + validate_vm_os_sku_value = index(local.vm_os_sku_allowed_values, var.vm_os_sku) +} + +variable "vm_os_version" { + description = "The version of the image that you want to deploy. " + type = string + default = "latest" +} + +variable "storage_account_type" { + description = "Defines the type of storage account to be created. Valid options is Standard_LRS, Premium_LRS" + type = string + default = "Standard_LRS" +} + +locals { // locals for 'storage_account_type' allowed values + storage_account_type_allowed_values = [ + "Standard_LRS", + "Premium_LRS" + ] + // will fail if [var.storage_account_type] is invalid: + validate_storage_account_type_value = index(local.storage_account_type_allowed_values, var.storage_account_type) +} + +variable "storage_account_tier" { + description = "Defines the Tier to use for this storage account.Valid options are Standard and Premium" + default = "Standard" +} + +locals { // locals for 'storage_account_tier' allowed values + storage_account_tier_allowed_values = [ + "Standard", + "Premium" + ] + // will fail if [var.storage_account_tier] is invalid: + validate_storage_account_tier_value = index(local.storage_account_tier_allowed_values, var.storage_account_tier) +} + +variable "account_replication_type" { + description = "Defines the type of replication to use for this storage account.Valid options are LRS, GRS, RAGRS and ZRS" + type = string + default = "LRS" +} + +locals { // locals for 'account_replication_type' allowed values + account_replication_type_allowed_values = [ + "LRS", + "GRS", + "RAGRS", + "ZRS" + ] + // will fail if [var.account_replication_type] is invalid: + validate_account_replication_type_value = index(local.account_replication_type_allowed_values, var.account_replication_type) +} + +variable "disk_size" { + description = "Storage data disk size size(GB). Select a number between 100 and 3995" + type = string +} + +resource "null_resource" "disk_size_validation" { + // Will fail if var.disk_size is less than 100 or more than 3995 + count = tonumber(var.disk_size) >= 100 && tonumber(var.disk_size) <= 3995 ? 0 : "variable disk_size must be a number between 100 and 3995" +} + +//************** Storage OS disk variables **************// +variable "storage_os_disk_create_option" { + description = "The method to use when creating the managed disk" + type = string + default = "FromImage" +} + +variable "storage_os_disk_caching" { + description = "Specifies the caching requirements for the OS Disk" + default = "ReadWrite" +} + +variable "managed_disk_type" { + description = "Specifies the type of managed disk to create. Possible values are either Standard_LRS, StandardSSD_LRS, Premium_LRS" + type = string + default = "Standard_LRS" +} + +locals { // locals for 'managed_disk_type' allowed values + managed_disk_type_allowed_values = [ + "Standard_LRS", + "Premium_LRS" + ] + // will fail if [var.managed_disk_type] is invalid: + validate_managed_disk_type_value = index(local.managed_disk_type_allowed_values, var.managed_disk_type) +} + +variable "authentication_type" { + description = "Specifies whether a password authentication or SSH Public Key authentication should be used" + type = string +} +locals { // locals for 'authentication_type' allowed values + authentication_type_allowed_values = [ + "Password", + "SSH Public Key" + ] + // will fail if [var.authentication_type] is invalid: + validate_authentication_type_value = index(local.authentication_type_allowed_values, var.authentication_type) +} + + +//********************** Role Assignments variables**************************// +variable "role_definition" { + description = "Role definition. The full list of Azure Built-in role descriptions can be found at https://docs.microsoft.com/bs-latn-ba/azure/role-based-access-control/built-in-roles" + type = string + default = "Contributor" +} \ No newline at end of file diff --git a/modules/common/versions.tf b/modules/common/versions.tf new file mode 100755 index 0000000..0ec4dcc --- /dev/null +++ b/modules/common/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = ">= 0.14.3" +} \ No newline at end of file diff --git a/modules/network_security_group/main.tf b/modules/network_security_group/main.tf new file mode 100755 index 0000000..1beeaf1 --- /dev/null +++ b/modules/network_security_group/main.tf @@ -0,0 +1,23 @@ +resource "azurerm_network_security_group" "nsg" { + name = var.security_group_name + location = var.location + resource_group_name = var.resource_group_name + tags = var.tags + } + +//************ Security Rule Example **************// +resource "azurerm_network_security_rule" "security_rule" { + count = length(var.security_rules) + name = lookup(var.security_rules[count.index], "name") + priority = lookup(var.security_rules[count.index], "priority", 4096 - length(var.security_rules) + count.index) + direction = lookup(var.security_rules[count.index], "direction") + access = lookup(var.security_rules[count.index], "access") + protocol = lookup(var.security_rules[count.index], "protocol") + source_port_range = lookup(var.security_rules[count.index], "source_port_ranges") + destination_port_range = lookup(var.security_rules[count.index], "destination_port_ranges") + description = lookup(var.security_rules[count.index], "description") + source_address_prefix = lookup(var.security_rules[count.index], "source_address_prefix") + destination_address_prefix = lookup(var.security_rules[count.index], "destination_address_prefix") + resource_group_name = var.resource_group_name + network_security_group_name = azurerm_network_security_group.nsg.name +} diff --git a/modules/network_security_group/output.tf b/modules/network_security_group/output.tf new file mode 100755 index 0000000..c1aa127 --- /dev/null +++ b/modules/network_security_group/output.tf @@ -0,0 +1,7 @@ +output "network_security_group_id" { + value = azurerm_network_security_group.nsg.id +} + +output "network_security_group_name" { + value = azurerm_network_security_group.nsg.name +} \ No newline at end of file diff --git a/modules/network_security_group/variables.tf b/modules/network_security_group/variables.tf new file mode 100755 index 0000000..363489e --- /dev/null +++ b/modules/network_security_group/variables.tf @@ -0,0 +1,43 @@ +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "location" { + type = string + description = "The location/region where Network Security Group will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" +} + +variable "security_group_name" { + description = "Network Security Group name" + default = "nsg" +} + +variable "tags" { + description = "The tags to associate with Network Security Group" + type = map(string) + default = {} +} + +# Security Rules definition + +variable "security_rules" { + description = "Security rules for the Network Security Group using this format name = [priority, direction, access, protocol, source_port_range, destination_port_range, source_address_prefix, destination_address_prefix, description]" + type = list(any) + default = [] +} + +variable "source_address_prefix" { + description = "Source address prefix to be applied to all rules" + type = list(string) + default = ["*"] + # Example ["10.0.3.0/24"] or ["VirtualNetwork"] +} + +variable "destination_address_prefix" { + description = "Destination address prefix to be applied to all rules" + type = list(string) + default = ["*"] + # Example ["10.0.3.0/32","10.0.3.128/32"] or ["VirtualNetwork"] +} + diff --git a/modules/network_security_group/versions.tf b/modules/network_security_group/versions.tf new file mode 100755 index 0000000..0ec4dcc --- /dev/null +++ b/modules/network_security_group/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = ">= 0.14.3" +} \ No newline at end of file diff --git a/modules/vnet/main.tf b/modules/vnet/main.tf new file mode 100755 index 0000000..17127b0 --- /dev/null +++ b/modules/vnet/main.tf @@ -0,0 +1,83 @@ +resource "azurerm_virtual_network" "vnet" { + name = var.vnet_name + location = var.location + address_space = [var.address_space] + resource_group_name = var.resource_group_name + dns_servers = var.dns_servers + tags = var.tags +} + +resource "azurerm_subnet" "subnet" { + depends_on = [azurerm_virtual_network.vnet] + count = length(var.subnet_names) + name = var.subnet_names[count.index] + virtual_network_name = azurerm_virtual_network.vnet.name + resource_group_name = var.resource_group_name + address_prefixes = [var.subnet_prefixes[count.index]] +} + +resource "azurerm_subnet_network_security_group_association" "security_group_frontend_association" { + depends_on = [azurerm_virtual_network.vnet, azurerm_subnet.subnet[0]] + subnet_id = azurerm_subnet.subnet[0].id + network_security_group_id = var.nsg_id +} +resource "azurerm_subnet_network_security_group_association" "security_group_backend_association" { + count = length(var.subnet_names) >= 2 ? 1 : 0 + depends_on = [azurerm_virtual_network.vnet, azurerm_subnet.subnet[1]] + subnet_id = azurerm_subnet.subnet[1].id + network_security_group_id = var.nsg_id +} + +locals { // locals for 'next_hop_type' allowed values + next_hop_type_allowed_values = [ + "VirtualNetworkGateway", + "VnetLocal", + "Internet", + "VirtualAppliance", + "None" + ] + address_prefix_length = length(var.subnet_prefixes[0]) +} + +resource "azurerm_route_table" "frontend" { + name = azurerm_subnet.subnet[0].name + location = var.location + resource_group_name = var.resource_group_name + + route { + name = "Local-Subnet" + address_prefix = azurerm_subnet.subnet[0].address_prefixes[0] + next_hop_type = local.next_hop_type_allowed_values[1] + } + route { + name = "To-Internal" + address_prefix = var.address_space + next_hop_type = local.next_hop_type_allowed_values[3] + next_hop_in_ip_address = substr(replace(azurerm_subnet.subnet[0].address_prefixes[0], "0/", "4/"), 0, local.address_prefix_length - 3) + } +} + +resource "azurerm_subnet_route_table_association" "frontend_association" { + subnet_id = azurerm_subnet.subnet[0].id + route_table_id = azurerm_route_table.frontend.id +} + +resource "azurerm_route_table" "backend" { + count = length(var.subnet_names) >= 2 ? 1 : 0 + name = azurerm_subnet.subnet[1].name + location = var.location + resource_group_name = var.resource_group_name + + route { + name = "To-Internet" + address_prefix = "0.0.0.0/0" + next_hop_type = local.next_hop_type_allowed_values[3] + next_hop_in_ip_address = substr(replace(azurerm_subnet.subnet[1].address_prefixes[0], "0/", "4/"), 0, local.address_prefix_length - 3) + } +} + +resource "azurerm_subnet_route_table_association" "backend_association" { + count = length(var.subnet_names) >= 2 ? 1 : 0 + subnet_id = azurerm_subnet.subnet[1].id + route_table_id = azurerm_route_table.backend[count.index].id +} diff --git a/modules/vnet/outputs.tf b/modules/vnet/outputs.tf new file mode 100755 index 0000000..9dc8e20 --- /dev/null +++ b/modules/vnet/outputs.tf @@ -0,0 +1,27 @@ +output "vnet_id" { + value = azurerm_virtual_network.vnet.id +} + +output "vnet_name" { + value = azurerm_virtual_network.vnet.name +} + +output "vnet_location" { + value = azurerm_virtual_network.vnet.location +} + +output "vnet_address_space" { + value = azurerm_virtual_network.vnet.address_space +} + +output "vnet_subnets" { + value = azurerm_subnet.subnet.*.id +} + +output "subnet_prefixes" { + value = var.subnet_prefixes +} + +output "allocation_method" { + value = var.allocation_method +} \ No newline at end of file diff --git a/modules/vnet/variables.tf b/modules/vnet/variables.tf new file mode 100755 index 0000000..1f64d28 --- /dev/null +++ b/modules/vnet/variables.tf @@ -0,0 +1,63 @@ +variable "vnet_name" { + description = "Name of Virtual Network" + type = string + default = "vnet01" +} + +variable "resource_group_name" { + description = "Azure Resource Group name to build into" + type = string +} + +variable "location" { + description = "The location/region where the core network will be created. The full list of Azure regions can be found at https://azure.microsoft.com/regions" + type = string +} + +variable "address_space" { + description = "The address prefixes of the virtual network" + type = string + default = "10.0.0.0/16" +} + +variable "dns_servers" { + description = " DNS servers to be used with a Virtual Network. If no values specified, this defaults to Azure DNS" + type = list(string) + default = [] +} + +variable "subnet_prefixes" { + description = "The address prefixes to be used for subnets" + type = list(string) + default = ["10.0.0.0/24","10.0.1.0/24"] +} + +variable "subnet_names" { + description = "A list of subnet names in a Virtual Network" + type = list(string) + default = ["Frontend","Backend"] +} + +variable "tags" { + description = "Tags to be associated with Virtual Network and subnets" + type = map(string) + default = {} +} +variable "nsg_id" { + description = "Network security group to be associated with a Virtual Network and subnets" + type = string +} + +variable "allocation_method" { + description = "IP address allocation method" + type = string + default = "Static" +} + +locals { // locals for 'allocation_method' allowed values + allocation_method_allowed_values = [ + "Static" + ] + // will fail if [var.allocation_method] is invalid: + validate_method_allowed_value = index(local.allocation_method_allowed_values, var.allocation_method) +} \ No newline at end of file diff --git a/modules/vnet/versions.tf b/modules/vnet/versions.tf new file mode 100755 index 0000000..0ec4dcc --- /dev/null +++ b/modules/vnet/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = ">= 0.14.3" +} \ No newline at end of file From 16bd6c0a599271b2e135c6fdfab016b05138a90c Mon Sep 17 00:00:00 2001 From: guybarak Date: Thu, 16 Jan 2025 16:55:05 +0000 Subject: [PATCH 4/5] README Update --- README.md | 18 ------------------ modules/management_new_vnet/README.md | 2 +- modules/management_new_vnet/locals.tf | 2 +- modules/single_gateway_new_vnet/README.md | 2 +- modules/single_gateway_new_vnet/locals.tf | 2 +- modules/vmss_new_vnet/README.md | 2 +- modules/vmss_new_vnet/locals.tf | 2 +- 7 files changed, 6 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index 510396a..11f9743 100755 --- a/README.md +++ b/README.md @@ -19,28 +19,10 @@ This repository provides a structured set of Terraform modules for deploying Che **Submodules:** -* [`high_availability_existing_vnet`](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest/submodules/high_availability_existing_vnet) - Deploys CloudGuard High Availability solution into an existing VNet in azure. - -* [`high_availability_new_vnet`](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest/submodules/high_availability_new_vnet) Deploys CloudGuard High Availability solution into a new VNet. - -* [`management_existing_vnet`](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest/submodules/management_existing_vnet) - Deploys CloudGuard Management solution into an existing VNet. - * [`management_new_vnet`](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest/submodules/management_new_vnet) - Deploys CloudGuard Management solution into a new VNet. -* [`mds_existing_vnet`](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest/submodules/mds_existing_vnet) - Deploys CloudGuard Management solution into a new VNet. - -* [`mds_new_vnet`](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest/submodules/mds_new_vnet) - Deploys CloudGuard Management solution into a new VNet. - -* [`nva_into_existing_hub`](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest/submodules/nva_into_existing_hub) - Deploys CloudGuard Virtual WAN NVA solution into an existing vWAN Hub. - -* [`nva_into_new_vwan`](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest/submodules/nva_into_new_vwan) - Deploys CloudGuard Virtual WAN NVA solution into a new vWAN Hub. - -* [`single_gateway_existing_vnet`](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest/submodules/single_gateway_existing_vnet) - Deploys CloudGuard Single Gateway solution into an existing VNet. - * [`single_gateway_new_vnet`](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest/submodules/single_gateway_new_vnet) - Deploys CloudGuard Single Gateway solution into a new VNet. -* [`vmss_existing_vnet`](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest/submodules/vmss_existing_vnet) - Deploys CloudGuard VMSS solution into an existing VNet. - * [`vmss_new_vnet`](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest/submodules/vmss_new_vnet) - Deploys CloudGuard VMSS solution into a new VNet. Internal Submodules - diff --git a/modules/management_new_vnet/README.md b/modules/management_new_vnet/README.md index 5cc6376..fa8ab42 100755 --- a/modules/management_new_vnet/README.md +++ b/modules/management_new_vnet/README.md @@ -26,7 +26,7 @@ provider "azurerm" { module "example_module" { source = "CheckPointSW/cloudguard-network-security/azure//modules/management_new_vnet" - version = "1.0.0" + version = "1.0.2" source_image_vhd_uri = "noCustomUri" resource_group_name = "checkpoint-mgmt-terraform" diff --git a/modules/management_new_vnet/locals.tf b/modules/management_new_vnet/locals.tf index 08ad8ca..d117cee 100755 --- a/modules/management_new_vnet/locals.tf +++ b/modules/management_new_vnet/locals.tf @@ -1,4 +1,4 @@ locals { template_name = "mgmt_terraform_registry" - version = "1.0.0" + version = "1.0.2" } diff --git a/modules/single_gateway_new_vnet/README.md b/modules/single_gateway_new_vnet/README.md index 1f1f77f..c6e6d7e 100755 --- a/modules/single_gateway_new_vnet/README.md +++ b/modules/single_gateway_new_vnet/README.md @@ -25,7 +25,7 @@ provider "azurerm" { module "example_module" { source = "CheckPointSW/cloudguard-network-security/azure//modules/single_gateway_new_vnet" - version = "1.0.0" + version = "1.0.2" source_image_vhd_uri = "noCustomUri" resource_group_name = "checkpoint-single-gw-terraform" diff --git a/modules/single_gateway_new_vnet/locals.tf b/modules/single_gateway_new_vnet/locals.tf index a705dea..7a54851 100755 --- a/modules/single_gateway_new_vnet/locals.tf +++ b/modules/single_gateway_new_vnet/locals.tf @@ -1,4 +1,4 @@ locals { template_name = "single_terraform_registry" - version = "1.0.0" + version = "1.0.2" } diff --git a/modules/vmss_new_vnet/README.md b/modules/vmss_new_vnet/README.md index a89dddb..30440ea 100755 --- a/modules/vmss_new_vnet/README.md +++ b/modules/vmss_new_vnet/README.md @@ -29,7 +29,7 @@ provider "azurerm" { module "example_module" { source = "CheckPointSW/cloudguard-network-security/azure//modules/vmss_new_vnet" - version = "1.0.0" + version = "1.0.2" subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" source_image_vhd_uri = "noCustomUri" diff --git a/modules/vmss_new_vnet/locals.tf b/modules/vmss_new_vnet/locals.tf index 6a043ca..d05c8e9 100755 --- a/modules/vmss_new_vnet/locals.tf +++ b/modules/vmss_new_vnet/locals.tf @@ -1,4 +1,4 @@ locals { template_name = "vmss_terraform_registry" - version = "1.0.0" + version = "1.0.2" } From ac6fc6b1209f1f809dfd9980c19bef14f682a5d3 Mon Sep 17 00:00:00 2001 From: guybarak Date: Mon, 20 Jan 2025 09:05:06 +0000 Subject: [PATCH 5/5] Update module versions variables --- modules/common/outputs.tf | 4 ++-- modules/common/variables.tf | 2 +- modules/management_new_vnet/README.md | 2 +- modules/management_new_vnet/cloud-init.sh | 2 +- modules/management_new_vnet/locals.tf | 2 +- modules/management_new_vnet/main.tf | 4 ++-- modules/single_gateway_new_vnet/README.md | 2 +- modules/single_gateway_new_vnet/cloud-init.sh | 2 +- modules/single_gateway_new_vnet/locals.tf | 2 +- modules/single_gateway_new_vnet/main.tf | 4 ++-- modules/vmss_new_vnet/README.md | 2 +- modules/vmss_new_vnet/cloud-init.sh | 2 +- modules/vmss_new_vnet/locals.tf | 2 +- modules/vmss_new_vnet/main.tf | 4 ++-- 14 files changed, 18 insertions(+), 18 deletions(-) diff --git a/modules/common/outputs.tf b/modules/common/outputs.tf index 1d4ad2b..462f5a6 100755 --- a/modules/common/outputs.tf +++ b/modules/common/outputs.tf @@ -30,8 +30,8 @@ output "template_name"{ value = var.template_name } -output "template_version" { - value = var.template_version +output "module_version" { + value = var.module_version } output "bootstrap_script"{ diff --git a/modules/common/variables.tf b/modules/common/variables.tf index 7394419..16b308e 100755 --- a/modules/common/variables.tf +++ b/modules/common/variables.tf @@ -118,7 +118,7 @@ variable "template_name"{ type = string } -variable "template_version"{ +variable "module_version"{ description = "Template name. Should be defined according to deployment type(e.g. ha, vmss)" type = string } diff --git a/modules/management_new_vnet/README.md b/modules/management_new_vnet/README.md index fa8ab42..e2b621a 100755 --- a/modules/management_new_vnet/README.md +++ b/modules/management_new_vnet/README.md @@ -26,7 +26,7 @@ provider "azurerm" { module "example_module" { source = "CheckPointSW/cloudguard-network-security/azure//modules/management_new_vnet" - version = "1.0.2" + version = "1.0.3" source_image_vhd_uri = "noCustomUri" resource_group_name = "checkpoint-mgmt-terraform" diff --git a/modules/management_new_vnet/cloud-init.sh b/modules/management_new_vnet/cloud-init.sh index 4639554..58fd101 100755 --- a/modules/management_new_vnet/cloud-init.sh +++ b/modules/management_new_vnet/cloud-init.sh @@ -4,7 +4,7 @@ installationType="${installation_type}" allowUploadDownload="${allow_upload_download}" osVersion="${os_version}" templateName="${template_name}" -templateVersion="${template_version}" +templateVersion="${module_version}" templateType="${template_type}" isBlink="${is_blink}" bootstrapScript64="${bootstrap_script64}" diff --git a/modules/management_new_vnet/locals.tf b/modules/management_new_vnet/locals.tf index d117cee..7130e3a 100755 --- a/modules/management_new_vnet/locals.tf +++ b/modules/management_new_vnet/locals.tf @@ -1,4 +1,4 @@ locals { template_name = "mgmt_terraform_registry" - version = "1.0.2" + module_version = "1.0.3" } diff --git a/modules/management_new_vnet/main.tf b/modules/management_new_vnet/main.tf index fb8cf55..40f4883 100755 --- a/modules/management_new_vnet/main.tf +++ b/modules/management_new_vnet/main.tf @@ -6,7 +6,7 @@ module "common" { admin_password = var.admin_password installation_type = var.installation_type template_name = local.template_name - template_version = local.template_version + module_version = local.module_version number_of_vm_instances = 1 allow_upload_download = var.allow_upload_download vm_size = var.vm_size @@ -263,7 +263,7 @@ resource "azurerm_virtual_machine" "mgmt-vm-instance" { allow_upload_download = module.common.allow_upload_download os_version = module.common.os_version template_name = module.common.template_name - template_version = module.common.template_version + module_version = module.common.module_version template_type = "terraform" is_blink = module.common.is_blink bootstrap_script64 = base64encode(var.bootstrap_script) diff --git a/modules/single_gateway_new_vnet/README.md b/modules/single_gateway_new_vnet/README.md index c6e6d7e..a05c437 100755 --- a/modules/single_gateway_new_vnet/README.md +++ b/modules/single_gateway_new_vnet/README.md @@ -25,7 +25,7 @@ provider "azurerm" { module "example_module" { source = "CheckPointSW/cloudguard-network-security/azure//modules/single_gateway_new_vnet" - version = "1.0.2" + version = "1.0.3" source_image_vhd_uri = "noCustomUri" resource_group_name = "checkpoint-single-gw-terraform" diff --git a/modules/single_gateway_new_vnet/cloud-init.sh b/modules/single_gateway_new_vnet/cloud-init.sh index 71bf391..a2d209c 100755 --- a/modules/single_gateway_new_vnet/cloud-init.sh +++ b/modules/single_gateway_new_vnet/cloud-init.sh @@ -4,7 +4,7 @@ installationType="${installation_type}" allowUploadDownload="${allow_upload_download}" osVersion="${os_version}" templateName="${template_name}" -templateVersion="${template_version}" +templateVersion="${module_version}" templateType="${template_type}" isBlink="${is_blink}" bootstrapScript64="${bootstrap_script64}" diff --git a/modules/single_gateway_new_vnet/locals.tf b/modules/single_gateway_new_vnet/locals.tf index 7a54851..9892b55 100755 --- a/modules/single_gateway_new_vnet/locals.tf +++ b/modules/single_gateway_new_vnet/locals.tf @@ -1,4 +1,4 @@ locals { template_name = "single_terraform_registry" - version = "1.0.2" + module_version = "1.0.3" } diff --git a/modules/single_gateway_new_vnet/main.tf b/modules/single_gateway_new_vnet/main.tf index 138a8e6..748f740 100755 --- a/modules/single_gateway_new_vnet/main.tf +++ b/modules/single_gateway_new_vnet/main.tf @@ -6,7 +6,7 @@ module "common" { admin_password = var.admin_password installation_type = var.installation_type template_name = local.template_name - template_version = local.version + module_version = local.module_version number_of_vm_instances = 1 allow_upload_download = var.allow_upload_download vm_size = var.vm_size @@ -188,7 +188,7 @@ resource "azurerm_virtual_machine" "single-gateway-vm-instance" { allow_upload_download = module.common.allow_upload_download os_version = module.common.os_version template_name = module.common.template_name - template_version = module.common.template_version + module_version = module.common.module_version template_type = "terraform" is_blink = module.common.is_blink bootstrap_script64 = base64encode(var.bootstrap_script) diff --git a/modules/vmss_new_vnet/README.md b/modules/vmss_new_vnet/README.md index 30440ea..d203010 100755 --- a/modules/vmss_new_vnet/README.md +++ b/modules/vmss_new_vnet/README.md @@ -29,7 +29,7 @@ provider "azurerm" { module "example_module" { source = "CheckPointSW/cloudguard-network-security/azure//modules/vmss_new_vnet" - version = "1.0.2" + version = "1.0.3" subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" source_image_vhd_uri = "noCustomUri" diff --git a/modules/vmss_new_vnet/cloud-init.sh b/modules/vmss_new_vnet/cloud-init.sh index f11f72c..f595e2b 100755 --- a/modules/vmss_new_vnet/cloud-init.sh +++ b/modules/vmss_new_vnet/cloud-init.sh @@ -4,7 +4,7 @@ installationType="${installation_type}" allowUploadDownload="${allow_upload_download}" osVersion="${os_version}" templateName="${template_name}" -templateVersion="${template_version}" +templateVersion="${module_version}" templateType="${template_type}" isBlink="${is_blink}" bootstrapScript64="${bootstrap_script64}" diff --git a/modules/vmss_new_vnet/locals.tf b/modules/vmss_new_vnet/locals.tf index d05c8e9..c309b21 100755 --- a/modules/vmss_new_vnet/locals.tf +++ b/modules/vmss_new_vnet/locals.tf @@ -1,4 +1,4 @@ locals { template_name = "vmss_terraform_registry" - version = "1.0.2" + module_version = "1.0.3" } diff --git a/modules/vmss_new_vnet/main.tf b/modules/vmss_new_vnet/main.tf index 911daa2..881a33b 100755 --- a/modules/vmss_new_vnet/main.tf +++ b/modules/vmss_new_vnet/main.tf @@ -6,7 +6,7 @@ module "common" { admin_password = var.authentication_type == "SSH Public Key" ? random_id.random_id.hex : var.admin_password installation_type = var.installation_type template_name = local.template_name - template_version = local.template_version + module_version = local.module_version number_of_vm_instances = var.number_of_vm_instances allow_upload_download = var.allow_upload_download vm_size = var.vm_size @@ -257,7 +257,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "vmss" { allow_upload_download = module.common.allow_upload_download os_version = module.common.os_version template_name = module.common.template_name - template_version = module.common.template_version + module_version = module.common.module_version template_type = "terraform" is_blink = module.common.is_blink bootstrap_script64 = base64encode(var.bootstrap_script)