From 35f85029684cf986518728777dd898f8dcbff8e4 Mon Sep 17 00:00:00 2001 From: natanelm Date: Mon, 15 Sep 2025 14:44:57 +0000 Subject: [PATCH 1/2] VWAN | Added plan parameters --- modules/nva_into_existing_hub/main.tf | 6 +++--- modules/nva_into_existing_hub/variables.tf | 22 ++++++++++++++++++++++ modules/nva_into_new_vwan/main.tf | 9 ++++++--- modules/nva_into_new_vwan/variables.tf | 22 ++++++++++++++++++++++ 4 files changed, 53 insertions(+), 6 deletions(-) diff --git a/modules/nva_into_existing_hub/main.tf b/modules/nva_into_existing_hub/main.tf index c0a8dfb..5c1b4c1 100755 --- a/modules/nva_into_existing_hub/main.tf +++ b/modules/nva_into_existing_hub/main.tf @@ -72,7 +72,7 @@ data "http" "accept-marketplace-terms-existing-agreement" { resource "azurerm_marketplace_agreement" "accept-marketplace-terms" { count = can(jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).id) ? (jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).properties.state == "Active" ? 0 : 1) : 1 publisher = "checkpoint" - offer = "cp-vwan-managed-app" + offer = var.plan_product plan = "vwan-app" } @@ -140,9 +140,9 @@ resource "azapi_resource" "managed-app" { kind = "MarketPlace", plan = { name = "vwan-app" - product = "cp-vwan-managed-app" + product = var.plan_product publisher = "checkpoint" - version = "1.0.22" + version = var.plan_version }, identity = { type = "UserAssigned" diff --git a/modules/nva_into_existing_hub/variables.tf b/modules/nva_into_existing_hub/variables.tf index cfc1268..e2c5c63 100755 --- a/modules/nva_into_existing_hub/variables.tf +++ b/modules/nva_into_existing_hub/variables.tf @@ -195,4 +195,26 @@ locals{ is_both_params_used = length(var.existing-public-ip) > 0 && var.new-public-ip == "yes" validation_message_both = "Only one parameter of existing-public-ip or new-public-ip can be used" _ = regex("^$", (!local.is_both_params_used ? "" : local.validation_message_both)) +} + +variable "plan_product" { + description = "Use the following plan when deploying with terraform: cp-vwan-managed-app" + type = string + default = "cp-vwan-managed-app" +} + +variable "plan_version" { + description = "Use the latest version of the managed application (e.g., 1.0.23) for best results. Full version list: https://support.checkpoint.com/results/sk/sk132192" + type = string + default = "1.0.23" +} + +variable "custom_license_type" { + description = "License type when using staged image." + type = string + default = "" + validation { + condition = contains(["", "ngtp", "ngtx", "premium"], var.custom_license_type) + error_message = "Valid options are 'ngtp', 'ngtx', or 'premium' or empty." + } } \ No newline at end of file diff --git a/modules/nva_into_new_vwan/main.tf b/modules/nva_into_new_vwan/main.tf index d148e18..f39dbb6 100755 --- a/modules/nva_into_new_vwan/main.tf +++ b/modules/nva_into_new_vwan/main.tf @@ -82,7 +82,7 @@ data "http" "accept-marketplace-terms-existing-agreement" { resource "azurerm_marketplace_agreement" "accept-marketplace-terms" { count = can(jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).id) ? (jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).properties.state == "Active" ? 0 : 1) : 1 publisher = "checkpoint" - offer = "cp-vwan-managed-app" + offer = var.plan_product plan = "vwan-app" } @@ -151,9 +151,9 @@ resource "azapi_resource" "managed-app" { kind = "MarketPlace", plan = { name = "vwan-app" - product = "cp-vwan-managed-app" + product = var.plan_product publisher = "checkpoint" - version = "1.0.22" + version = var.plan_version }, identity = { type = "UserAssigned" @@ -234,6 +234,9 @@ resource "azapi_resource" "managed-app" { }, templateName = { value = "wan_terraform_registry" + }, + customLicenseType = { + value = var.custom_license_type } }, managedResourceGroupId = "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}" diff --git a/modules/nva_into_new_vwan/variables.tf b/modules/nva_into_new_vwan/variables.tf index 2759e3f..3c294b4 100755 --- a/modules/nva_into_new_vwan/variables.tf +++ b/modules/nva_into_new_vwan/variables.tf @@ -206,4 +206,26 @@ locals{ is_both_params_used = length(var.existing-public-ip) > 0 && var.new-public-ip == "yes" validation_message_both = "Only one parameter of existing-public-ip or new-public-ip can be used" _ = regex("^$", (!local.is_both_params_used ? "" : local.validation_message_both)) +} + +variable "plan_product" { + description = "Use the following plan when deploying with terraform: cp-vwan-managed-app" + type = string + default = "cp-vwan-managed-app" +} + +variable "plan_version" { + description = "Use the latest version of the managed application (e.g., 1.0.23) for best results. Full version list: https://support.checkpoint.com/results/sk/sk132192" + type = string + default = "1.0.23" +} + +variable "custom_license_type" { + description = "License type when using staged image." + type = string + default = "" + validation { + condition = contains(["", "ngtp", "ngtx", "premium"], var.custom_license_type) + error_message = "Valid options are 'ngtp', 'ngtx', or 'premium' or empty." + } } \ No newline at end of file From 2a04dde310d037d41f4ceac4e416a158b6272df1 Mon Sep 17 00:00:00 2001 From: natanelm Date: Tue, 16 Sep 2025 08:41:21 +0000 Subject: [PATCH 2/2] Enabled support for custom tags across all solutions --- modules/common/main.tf | 1 + modules/common/variables.tf | 4 +- .../high_availability_existing_vnet/README.md | 3 +- .../high_availability_existing_vnet/locals.tf | 2 +- .../high_availability_existing_vnet/main.tf | 23 ++ .../variables.tf | 5 + modules/high_availability_new_vnet/README.md | 3 +- modules/high_availability_new_vnet/locals.tf | 2 +- modules/high_availability_new_vnet/main.tf | 26 ++ .../high_availability_new_vnet/variables.tf | 6 + modules/management_existing_vnet/README.md | 5 +- modules/management_existing_vnet/locals.tf | 2 +- modules/management_existing_vnet/main.tf | 12 +- modules/management_existing_vnet/variables.tf | 6 + modules/management_new_vnet/README.md | 3 +- modules/management_new_vnet/locals.tf | 2 +- modules/management_new_vnet/main.tf | 13 + modules/management_new_vnet/variables.tf | 6 + modules/mds_existing_vnet/README.md | 5 +- modules/mds_existing_vnet/locals.tf | 2 +- modules/mds_existing_vnet/main.tf | 13 +- modules/mds_existing_vnet/variables.tf | 6 + modules/mds_new_vnet/README.md | 5 +- modules/mds_new_vnet/locals.tf | 2 +- modules/mds_new_vnet/main.tf | 14 +- modules/mds_new_vnet/variables.tf | 5 + modules/nva_into_existing_hub/README.md | 7 +- modules/nva_into_existing_hub/main.tf | 11 + modules/nva_into_existing_hub/variables.tf | 62 ++-- modules/nva_into_new_vwan/README.md | 3 +- modules/nva_into_new_vwan/main.tf | 276 +++++++++--------- modules/nva_into_new_vwan/variables.tf | 58 ++-- .../single_gateway_existing_vnet/README.md | 5 +- .../single_gateway_existing_vnet/locals.tf | 2 +- modules/single_gateway_existing_vnet/main.tf | 13 + .../single_gateway_existing_vnet/variables.tf | 6 + modules/single_gateway_new_vnet/README.md | 3 +- modules/single_gateway_new_vnet/locals.tf | 2 +- modules/single_gateway_new_vnet/main.tf | 16 +- modules/single_gateway_new_vnet/variables.tf | 8 +- modules/vmss_existing_vnet/README.md | 5 +- modules/vmss_existing_vnet/locals.tf | 21 +- modules/vmss_existing_vnet/main.tf | 33 +-- modules/vmss_existing_vnet/variables.tf | 6 + modules/vmss_new_vnet/README.md | 3 +- modules/vmss_new_vnet/locals.tf | 21 +- modules/vmss_new_vnet/main.tf | 38 +-- modules/vmss_new_vnet/variables.tf | 6 + modules/vnet/main.tf | 6 +- modules/vnet/variables.tf | 2 +- 50 files changed, 504 insertions(+), 285 deletions(-) diff --git a/modules/common/main.tf b/modules/common/main.tf index 08bc5f9..d83c3e9 100755 --- a/modules/common/main.tf +++ b/modules/common/main.tf @@ -1,5 +1,6 @@ resource "azurerm_resource_group" "resource_group" { name = var.resource_group_name location = var.location + tags = var.tags } diff --git a/modules/common/variables.tf b/modules/common/variables.tf index 3bd7088..79da9a6 100755 --- a/modules/common/variables.tf +++ b/modules/common/variables.tf @@ -37,8 +37,8 @@ variable "maintenance_mode_password_hash" { } variable "tags" { - type = map(string) - description = "A map of the tags to use on the resources that are deployed with this module." + description = "Tags to be associated with the resource group." + type = map(string) default = {} } diff --git a/modules/high_availability_existing_vnet/README.md b/modules/high_availability_existing_vnet/README.md index 224e5f9..0a9d890 100755 --- a/modules/high_availability_existing_vnet/README.md +++ b/modules/high_availability_existing_vnet/README.md @@ -23,7 +23,7 @@ provider "azurerm" { module "example_module" { source = "CheckPointSW/cloudguard-network-security/azure//modules/high_availability_existing_vnet" - version = "1.0.5" + version = "1.0.6" tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" source_image_vhd_uri = "noCustomUri" @@ -128,3 +128,4 @@ module "example_module" { | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs
**Default:** [] | | **security_rules** | Security rules for the Network Security Group | list(any) | A security rule composed of: {name, priority, direction, access, protocol, source_port_ranges, destination_port_ranges, source_address_prefix, destination_address_prefix, description}
**Default:** [] | | **admin_SSH_key** | The SSH public key for SSH connections to the instance. Used when the authentication_type is 'SSH Public Key' | string | **Default:** "" | +| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`network-interface`
`public-ip`
`public-ip-prefix`
`load-balancer`
`storage-account`
`virtual-machine`
`custom-image`
`availability-set`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} | \ No newline at end of file diff --git a/modules/high_availability_existing_vnet/locals.tf b/modules/high_availability_existing_vnet/locals.tf index b652c45..b63e970 100755 --- a/modules/high_availability_existing_vnet/locals.tf +++ b/modules/high_availability_existing_vnet/locals.tf @@ -1,4 +1,4 @@ locals { module_name = "ha_terraform" - module_version = "1.0.5" + module_version = "1.0.6" } diff --git a/modules/high_availability_existing_vnet/main.tf b/modules/high_availability_existing_vnet/main.tf index d711440..b0a109c 100755 --- a/modules/high_availability_existing_vnet/main.tf +++ b/modules/high_availability_existing_vnet/main.tf @@ -19,6 +19,7 @@ module "common" { serial_console_password_hash = var.serial_console_password_hash maintenance_mode_password_hash = var.maintenance_mode_password_hash storage_account_additional_ips = var.storage_account_additional_ips + tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {})) } //********************** Networking **************************// @@ -35,6 +36,7 @@ resource "azurerm_public_ip_prefix" "public_ip_prefix" { location = module.common.resource_group_location resource_group_name = module.common.resource_group_name prefix_length = 30 + tags = merge(lookup(var.tags, "public-ip-prefix", {}), lookup(var.tags, "all", {})) } data "azurerm_subnet" "frontend" { @@ -58,6 +60,7 @@ resource "azurerm_public_ip" "public-ip" { sku = var.sku domain_name_label = "${lower(var.cluster_name)}-${count.index+1}-${random_id.random_id.hex}" public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null + tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) } resource "azurerm_public_ip" "cluster-vip" { @@ -68,6 +71,7 @@ resource "azurerm_public_ip" "cluster-vip" { sku = var.sku domain_name_label = "${lower(var.cluster_name)}-vip-${random_id.random_id.hex}" public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null + tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) } resource "azurerm_network_interface" "nic_vip" { @@ -103,6 +107,8 @@ resource "azurerm_network_interface" "nic_vip" { ip_configuration ] } + + tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) } resource "azurerm_network_interface_backend_address_pool_association" "nic_vip_lb_association" { @@ -137,6 +143,8 @@ resource "azurerm_network_interface" "nic" { ip_configuration ] } + + tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) } resource "azurerm_network_interface_backend_address_pool_association" "nic_lb_association" { @@ -162,6 +170,8 @@ resource "azurerm_network_interface" "nic1" { private_ip_address_allocation = var.vnet_allocation_method private_ip_address = cidrhost(data.azurerm_subnet.backend.address_prefixes[0], var.backend_IP_addresses[count.index+1]) } + + tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) } resource "azurerm_network_interface_backend_address_pool_association" "nic1_lb_association" { @@ -181,6 +191,7 @@ resource "azurerm_public_ip" "public-ip-lb" { sku = var.sku domain_name_label = "${lower(var.cluster_name)}-${random_id.random_id.hex}" public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null + tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) } resource "azurerm_lb" "frontend-lb" { @@ -195,6 +206,8 @@ resource "azurerm_lb" "frontend-lb" { name = "LoadBalancerFrontend" public_ip_address_id = azurerm_public_ip.public-ip-lb.id } + + tags = merge(lookup(var.tags, "load-balancer", {}), lookup(var.tags, "all", {})) } resource "azurerm_lb_backend_address_pool" "frontend-lb-pool" { @@ -213,6 +226,8 @@ resource "azurerm_lb" "backend-lb" { private_ip_address_allocation = var.vnet_allocation_method private_ip_address = cidrhost(data.azurerm_subnet.backend.address_prefixes[0], var.backend_IP_addresses[0]) } + + tags = merge(lookup(var.tags, "load-balancer", {}), lookup(var.tags, "all", {})) } resource "azurerm_lb_backend_address_pool" "backend-lb-pool" { @@ -256,6 +271,7 @@ resource "azurerm_availability_set" "availability-set" { platform_fault_domain_count = 2 platform_update_domain_count = 5 managed = true + tags = merge(lookup(var.tags, "availability-set", {}), lookup(var.tags, "all", {})) } //********************** Storage accounts **************************// @@ -283,6 +299,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { days = "15" } } + tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {})) } //********************** Virtual Machines **************************// @@ -301,6 +318,8 @@ resource "azurerm_image" "custom-image" { os_state = "Generalized" blob_uri = var.source_image_vhd_uri } + + tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {})) } resource "azurerm_virtual_machine" "vm-instance-availability-set" { depends_on = [ @@ -393,6 +412,8 @@ resource "azurerm_virtual_machine" "vm-instance-availability-set" { enabled = module.common.boot_diagnostics storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" } + + tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {})) } resource "azurerm_virtual_machine" "vm-instance-availability-zone" { @@ -487,6 +508,8 @@ resource "azurerm_virtual_machine" "vm-instance-availability-zone" { enabled = module.common.boot_diagnostics storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" } + + tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {})) } //********************** Role Assigments **************************// data "azurerm_role_definition" "virtual_machine_contributor_role_definition" { diff --git a/modules/high_availability_existing_vnet/variables.tf b/modules/high_availability_existing_vnet/variables.tf index cbb921f..b6c662e 100755 --- a/modules/high_availability_existing_vnet/variables.tf +++ b/modules/high_availability_existing_vnet/variables.tf @@ -322,3 +322,8 @@ variable "security_rules" { default = [] } +variable "tags" { + description = "Assign tags by resource." + type = map(map(string)) + default = {} +} \ No newline at end of file diff --git a/modules/high_availability_new_vnet/README.md b/modules/high_availability_new_vnet/README.md index 5d82482..6d5fed4 100755 --- a/modules/high_availability_new_vnet/README.md +++ b/modules/high_availability_new_vnet/README.md @@ -29,7 +29,7 @@ provider "azurerm" { module "example_module" { source = "CheckPointSW/cloudguard-network-security/azure//modules/high_availability_new_vnet" - version = "1.0.5" + version = "1.0.6" tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" source_image_vhd_uri = "noCustomUri" @@ -130,3 +130,4 @@ module "example_module" { | **storage_account_additional_ips**| IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs
**Default:** [] | | **security_rules** | Security rules for the Network Security Group | list(any) | A security rule composed of: {name, priority, direction, access, protocol, source_port_ranges, destination_port_ranges, source_address_prefix, destination_address_prefix, description}
**Default:** [] | | **admin_SSH_key** | The SSH public key for SSH connections to the instance. Used when the authentication_type is 'SSH Public Key' | string | **Default:** "" | +| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`virtual-network`
`network-security-group`
`network-interface`
`public-ip`
`public-ip-prefix`
`load-balancer`
`route-table`
`storage-account`
`virtual-machine`
`custom-image`
`availability-set`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} | \ No newline at end of file diff --git a/modules/high_availability_new_vnet/locals.tf b/modules/high_availability_new_vnet/locals.tf index b652c45..b63e970 100755 --- a/modules/high_availability_new_vnet/locals.tf +++ b/modules/high_availability_new_vnet/locals.tf @@ -1,4 +1,4 @@ locals { module_name = "ha_terraform" - module_version = "1.0.5" + module_version = "1.0.6" } diff --git a/modules/high_availability_new_vnet/main.tf b/modules/high_availability_new_vnet/main.tf index 7dd1514..13d3771 100755 --- a/modules/high_availability_new_vnet/main.tf +++ b/modules/high_availability_new_vnet/main.tf @@ -19,6 +19,7 @@ module "common" { serial_console_password_hash = var.serial_console_password_hash maintenance_mode_password_hash = var.maintenance_mode_password_hash storage_account_additional_ips = var.storage_account_additional_ips + tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {})) } //********************** Networking **************************// @@ -30,6 +31,7 @@ module "vnet" { nsg_id = var.nsg_id == "" ? module.network_security_group[0].network_security_group_id: var.nsg_id address_space = var.address_space subnet_prefixes = var.subnet_prefixes + tags = var.tags } module "network_security_group" { @@ -39,6 +41,7 @@ module "network_security_group" { security_group_name = "${module.common.resource_group_name}_nsg" location = module.common.resource_group_location security_rules = var.security_rules + tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {})) } resource "random_id" "random_id" { @@ -54,6 +57,7 @@ resource "azurerm_public_ip_prefix" "public_ip_prefix" { location = module.common.resource_group_location resource_group_name = module.common.resource_group_name prefix_length = 30 + tags = merge(lookup(var.tags, "public-ip-prefix", {}), lookup(var.tags, "all", {})) } resource "azurerm_public_ip" "public-ip" { @@ -65,6 +69,7 @@ resource "azurerm_public_ip" "public-ip" { sku = var.sku domain_name_label = "${lower(var.cluster_name)}-${count.index+1}-${random_id.random_id.hex}" public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null + tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) } resource "azurerm_public_ip" "cluster-vip" { @@ -75,6 +80,7 @@ resource "azurerm_public_ip" "cluster-vip" { sku = var.sku domain_name_label = "${lower(var.cluster_name)}-vip-${random_id.random_id.hex}" public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null + tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) } resource "azurerm_network_interface" "nic_vip" { @@ -110,6 +116,8 @@ resource "azurerm_network_interface" "nic_vip" { ip_configuration ] } + + tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) } resource "azurerm_network_interface_backend_address_pool_association" "nic_vip_lb_association" { @@ -144,6 +152,8 @@ resource "azurerm_network_interface" "nic" { ip_configuration ] } + + tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) } resource "azurerm_network_interface_backend_address_pool_association" "nic_lb_association" { @@ -169,6 +179,8 @@ resource "azurerm_network_interface" "nic1" { private_ip_address_allocation = module.vnet.allocation_method private_ip_address = cidrhost(module.vnet.subnet_prefixes[1], count.index+5) } + + tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) } resource "azurerm_network_interface_backend_address_pool_association" "nic1_lb_association" { @@ -188,6 +200,7 @@ resource "azurerm_public_ip" "public-ip-lb" { sku = var.sku domain_name_label = "${lower(var.cluster_name)}-${random_id.random_id.hex}" public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null + tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) } resource "azurerm_lb" "frontend-lb" { @@ -202,6 +215,8 @@ resource "azurerm_lb" "frontend-lb" { name = "LoadBalancerFrontend" public_ip_address_id = azurerm_public_ip.public-ip-lb.id } + + tags = merge(lookup(var.tags, "load-balancer", {}), lookup(var.tags, "all", {})) } resource "azurerm_lb_backend_address_pool" "frontend-lb-pool" { @@ -220,6 +235,8 @@ resource "azurerm_lb" "backend-lb" { private_ip_address_allocation = module.vnet.allocation_method private_ip_address = cidrhost(module.vnet.subnet_prefixes[1], 4) } + + tags = merge(lookup(var.tags, "load-balancer", {}), lookup(var.tags, "all", {})) } resource "azurerm_lb_backend_address_pool" "backend-lb-pool" { @@ -263,6 +280,8 @@ resource "azurerm_availability_set" "availability-set" { platform_fault_domain_count = 2 platform_update_domain_count = 5 managed = true + + tags = merge(lookup(var.tags, "availability-set", {}), lookup(var.tags, "all", {})) } //********************** Storage accounts **************************// @@ -290,6 +309,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { days = "15" } } + tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {})) } //********************** Virtual Machines **************************// @@ -308,6 +328,8 @@ resource "azurerm_image" "custom-image" { os_state = "Generalized" blob_uri = var.source_image_vhd_uri } + + tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {})) } resource "azurerm_virtual_machine" "vm-instance-availability-set" { depends_on = [ @@ -400,6 +422,8 @@ resource "azurerm_virtual_machine" "vm-instance-availability-set" { enabled = module.common.boot_diagnostics storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" } + + tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {})) } resource "azurerm_virtual_machine" "vm-instance-availability-zone" { @@ -494,6 +518,8 @@ resource "azurerm_virtual_machine" "vm-instance-availability-zone" { enabled = module.common.boot_diagnostics storage_uri = module.common.boot_diagnostics ? join(",", azurerm_storage_account.vm-boot-diagnostics-storage.*.primary_blob_endpoint) : "" } + + tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {})) } //********************** Role Assigments **************************// data "azurerm_role_definition" "virtual_machine_contributor_role_definition" { diff --git a/modules/high_availability_new_vnet/variables.tf b/modules/high_availability_new_vnet/variables.tf index fde2d00..a3c51d8 100755 --- a/modules/high_availability_new_vnet/variables.tf +++ b/modules/high_availability_new_vnet/variables.tf @@ -321,3 +321,9 @@ variable "security_rules" { } ] } + +variable "tags" { + description = "Assign tags by resource." + type = map(map(string)) + default = {} +} \ No newline at end of file diff --git a/modules/management_existing_vnet/README.md b/modules/management_existing_vnet/README.md index c23f0c4..7349dad 100755 --- a/modules/management_existing_vnet/README.md +++ b/modules/management_existing_vnet/README.md @@ -24,7 +24,7 @@ provider "azurerm" { module "example_module" { source = "CheckPointSW/cloudguard-network-security/azure//modules/management_existing_vnet" - version = "1.0.5" + version = "1.0.6" source_image_vhd_uri = "noCustomUri" resource_group_name = "checkpoint-mgmt-terraform" @@ -84,4 +84,5 @@ module "example_module" { | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID.
**Default:** "" | | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false.
**Default:** false | -| **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs.
**Default:** [] | \ No newline at end of file +| **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs.
**Default:** [] | +| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`network-security-group`
`network-interface`
`public-ip`
`storage-account`
`virtual-machine`
`custom-image`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} | \ No newline at end of file diff --git a/modules/management_existing_vnet/locals.tf b/modules/management_existing_vnet/locals.tf index d0c0838..8ebafa9 100755 --- a/modules/management_existing_vnet/locals.tf +++ b/modules/management_existing_vnet/locals.tf @@ -1,4 +1,4 @@ locals { module_name = "management_terraform_registry" - module_version = "1.0.5" + module_version = "1.0.6" } diff --git a/modules/management_existing_vnet/main.tf b/modules/management_existing_vnet/main.tf index b4aac2c..5ec6b9a 100755 --- a/modules/management_existing_vnet/main.tf +++ b/modules/management_existing_vnet/main.tf @@ -20,6 +20,7 @@ module "common" { serial_console_password_hash = var.serial_console_password_hash maintenance_mode_password_hash = var.maintenance_mode_password_hash storage_account_additional_ips = var.storage_account_additional_ips + tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {})) } //********************** Networking **************************// @@ -40,6 +41,7 @@ resource "azurerm_public_ip" "public-ip" { lower(var.mgmt_name), "-", random_id.randomId.hex]) + tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) } module "network_security_group" { @@ -146,6 +148,8 @@ module "network_security_group" { destination_address_prefix = "*" } ]) + + tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {})) } resource "azurerm_network_interface_security_group_association" "security_group_association" { @@ -169,6 +173,8 @@ resource "azurerm_network_interface" "nic" { private_ip_address = var.subnet_1st_Address public_ip_address_id = azurerm_public_ip.public-ip.id } + + tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) } //********************** Storage accounts **************************// @@ -197,7 +203,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { days = "15" } } - + tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {})) } //********************** Virtual Machines **************************// @@ -217,6 +223,8 @@ resource "azurerm_image" "custom-image" { os_state = "Generalized" blob_uri = var.source_image_vhd_uri } + + tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {})) } resource "azurerm_virtual_machine" "mgmt-vm-instance" { @@ -301,4 +309,6 @@ resource "azurerm_virtual_machine" "mgmt-vm-instance" { managed_disk_type = module.common.storage_account_type disk_size_gb = module.common.disk_size } + + tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {})) } \ No newline at end of file diff --git a/modules/management_existing_vnet/variables.tf b/modules/management_existing_vnet/variables.tf index fc68193..c80f487 100755 --- a/modules/management_existing_vnet/variables.tf +++ b/modules/management_existing_vnet/variables.tf @@ -226,3 +226,9 @@ variable "security_rules" { type = list(any) default = [] } + +variable "tags" { + description = "Assign tags by resource." + type = map(map(string)) + default = {} +} diff --git a/modules/management_new_vnet/README.md b/modules/management_new_vnet/README.md index 69b4f81..d79b199 100755 --- a/modules/management_new_vnet/README.md +++ b/modules/management_new_vnet/README.md @@ -26,7 +26,7 @@ provider "azurerm" { module "example_module" { source = "CheckPointSW/cloudguard-network-security/azure//modules/management_new_vnet" - version = "1.0.5" + version = "1.0.6" source_image_vhd_uri = "noCustomUri" resource_group_name = "checkpoint-mgmt-terraform" @@ -87,3 +87,4 @@ module "example_module" { | **security_rules** | SSecurity rules for the Network Security | list(any) | A security rule is composed of: {name, priority, direction, access, protocol, source_port_ranges, destination_port_ranges, source_address_prefix, destination_address_prefix, description}
**Default:** [] | | **admin_SSH_key** | The SSH public key for SSH connections to the instance. Used when the authentication_type is 'SSH Public Key' | string | **Default:** "" | **is_blink** | Define if blink image is used for deployment | boolean | true;
false;
**Default:** true | +| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`virtual-network`
`network-security-group`
`network-interface`
`public-ip`
`route-table`
`storage-account`
`virtual-machine`
`custom-image`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} | \ No newline at end of file diff --git a/modules/management_new_vnet/locals.tf b/modules/management_new_vnet/locals.tf index d0c0838..8ebafa9 100755 --- a/modules/management_new_vnet/locals.tf +++ b/modules/management_new_vnet/locals.tf @@ -1,4 +1,4 @@ locals { module_name = "management_terraform_registry" - module_version = "1.0.5" + module_version = "1.0.6" } diff --git a/modules/management_new_vnet/main.tf b/modules/management_new_vnet/main.tf index fa467f1..8bcc3ec 100755 --- a/modules/management_new_vnet/main.tf +++ b/modules/management_new_vnet/main.tf @@ -19,6 +19,7 @@ module "common" { serial_console_password_hash = var.serial_console_password_hash maintenance_mode_password_hash = var.maintenance_mode_password_hash storage_account_additional_ips = var.storage_account_additional_ips + tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {})) } //********************** Networking **************************// @@ -32,6 +33,7 @@ module "vnet" { subnet_prefixes = [var.subnet_prefix] subnet_names = ["${var.mgmt_name}-subnet"] nsg_id = var.nsg_id == "" ? module.network_security_group[0].network_security_group_id: var.nsg_id + tags = var.tags } module "network_security_group" { @@ -138,6 +140,8 @@ module "network_security_group" { destination_address_prefix = "*" } ]) + + tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {})) } resource "azurerm_public_ip" "public-ip" { @@ -151,6 +155,8 @@ resource "azurerm_public_ip" "public-ip" { lower(var.mgmt_name), "-", random_id.randomId.hex]) + + tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) } resource "azurerm_network_interface_security_group_association" "security_group_association" { @@ -174,6 +180,8 @@ resource "azurerm_network_interface" "nic" { private_ip_address = cidrhost(var.subnet_prefix, 4) public_ip_address_id = azurerm_public_ip.public-ip.id } + + tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) } //********************** Storage accounts **************************// @@ -202,6 +210,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { days = "15" } } + tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {})) } //********************** Virtual Machines **************************// @@ -221,6 +230,8 @@ resource "azurerm_image" "custom-image" { os_state = "Generalized" blob_uri = var.source_image_vhd_uri } + + tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {})) } resource "azurerm_virtual_machine" "mgmt-vm-instance" { @@ -304,4 +315,6 @@ resource "azurerm_virtual_machine" "mgmt-vm-instance" { managed_disk_type = module.common.storage_account_type disk_size_gb = module.common.disk_size } + + tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {})) } diff --git a/modules/management_new_vnet/variables.tf b/modules/management_new_vnet/variables.tf index 0ee2e7f..a949027 100755 --- a/modules/management_new_vnet/variables.tf +++ b/modules/management_new_vnet/variables.tf @@ -225,3 +225,9 @@ variable "admin_SSH_key" { description = "(Optional) TheUsed when the authentication_type is 'SSH Public Key'. The SSH public key for SSH authentication to the template instances." default = "" } + +variable "tags" { + description = "Assign tags by resource." + type = map(map(string)) + default = {} +} diff --git a/modules/mds_existing_vnet/README.md b/modules/mds_existing_vnet/README.md index bbd08ff..f90b954 100755 --- a/modules/mds_existing_vnet/README.md +++ b/modules/mds_existing_vnet/README.md @@ -23,7 +23,7 @@ provider "azurerm" { module "example_module" { source = "CheckPointSW/cloudguard-network-security/azure//modules/mds_existing_vnet" - version = "1.0.5" + version = "1.0.6" source_image_vhd_uri = "noCustomUri" resource_group_name = "checkpoint-mds-rg-terraform" @@ -96,4 +96,5 @@ module "example_module" { | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false.
**Default:** false | | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs.
**Default:** [] | | **security_rules** | Security rules for the Network Security | list(any) | A list of valid security rules values.
A security rule composed of:
{name, priority, direction, access, protocol, source_port_ranges, destination_port_ranges, source_address_prefix, destination_address_prefix, description}.
**Default:** [{"name":"AllowAllInBound", "priority":"100", "direction":"Inbound", "access":"Allow", "protocol":"*", "source_port_ranges":"*", "destination_port_ranges":"", "description":"Allow all inbound connections", "source_address_prefix":"*", "destination_address_prefix":""}] | -| **admin_SSH_key** | The SSH public key for SSH connections to the instance.
Used when the authentication_type is 'SSH Public Key' | string | **Default:** "" | \ No newline at end of file +| **admin_SSH_key** | The SSH public key for SSH connections to the instance.
Used when the authentication_type is 'SSH Public Key' | string | **Default:** "" | +| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`network-security-group`
`network-interface`
`public-ip`
`storage-account`
`virtual-machine`
`custom-image`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} | \ No newline at end of file diff --git a/modules/mds_existing_vnet/locals.tf b/modules/mds_existing_vnet/locals.tf index 20053eb..803352d 100755 --- a/modules/mds_existing_vnet/locals.tf +++ b/modules/mds_existing_vnet/locals.tf @@ -1,4 +1,4 @@ locals { module_name = "mds_terraform_registry" - module_version = "1.0.5" + module_version = "1.0.6" } diff --git a/modules/mds_existing_vnet/main.tf b/modules/mds_existing_vnet/main.tf index c26f8cd..3f54494 100755 --- a/modules/mds_existing_vnet/main.tf +++ b/modules/mds_existing_vnet/main.tf @@ -19,6 +19,7 @@ module "common" { serial_console_password_hash = var.serial_console_password_hash maintenance_mode_password_hash = var.maintenance_mode_password_hash storage_account_additional_ips = var.storage_account_additional_ips + tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {})) } //********************** Networking **************************// @@ -39,6 +40,8 @@ resource "azurerm_public_ip" "public-ip" { lower(var.mds_name), "-", random_id.randomId.hex]) + + tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) } module "network_security_group" { @@ -145,6 +148,8 @@ module "network_security_group" { destination_address_prefix = "*" } ]) + + tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {})) } resource "azurerm_network_interface_security_group_association" "security_group_association" { @@ -168,6 +173,8 @@ resource "azurerm_network_interface" "nic" { private_ip_address = var.subnet_1st_Address public_ip_address_id = azurerm_public_ip.public-ip.id } + + tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) } //********************** Storage accounts **************************// @@ -196,7 +203,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { days = "15" } } - + tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {})) } //********************** Virtual Machines **************************// @@ -216,6 +223,8 @@ resource "azurerm_image" "custom-image" { os_state = "Generalized" blob_uri = var.source_image_vhd_uri } + + tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {})) } resource "azurerm_virtual_machine" "mds-vm-instance" { @@ -304,4 +313,6 @@ resource "azurerm_virtual_machine" "mds-vm-instance" { managed_disk_type = module.common.storage_account_type disk_size_gb = module.common.disk_size } + + tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {})) } \ No newline at end of file diff --git a/modules/mds_existing_vnet/variables.tf b/modules/mds_existing_vnet/variables.tf index 542e36c..c941149 100755 --- a/modules/mds_existing_vnet/variables.tf +++ b/modules/mds_existing_vnet/variables.tf @@ -255,3 +255,9 @@ variable "security_rules" { type = list(any) default = [] } + +variable "tags" { + description = "Assign tags by resource." + type = map(map(string)) + default = {} +} diff --git a/modules/mds_new_vnet/README.md b/modules/mds_new_vnet/README.md index b9fc739..843916c 100755 --- a/modules/mds_new_vnet/README.md +++ b/modules/mds_new_vnet/README.md @@ -26,7 +26,7 @@ provider "azurerm" { module "example_module" { source = "CheckPointSW/cloudguard-network-security/azure//modules/mds_new_vnet" - version = "1.0.5" + version = "1.0.6" source_image_vhd_uri = "noCustomUri" @@ -95,4 +95,5 @@ module "example_module" { | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false.
**Default:** false | | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs.
**Default:** [] | | **security_rules** | Security rules for the Network Security | list(any) | A list of valid security rules values.
A security rule composed of:
{name, priority, direction, access, protocol, source_port_ranges, destination_port_ranges, source_address_prefix, destination_address_prefix, description}.
**Default:** [{"name":"AllowAllInBound", "priority":"100", "direction":"Inbound", "access":"Allow", "protocol":"*", "source_port_ranges":"*", "destination_port_ranges":"", "description":"Allow all inbound connections", "source_address_prefix":"*", "destination_address_prefix":""}] | -| **admin_SSH_key** | The SSH public key for SSH connections to the instance.
Used when the authentication_type is 'SSH Public Key' | string | **Default:** "" | \ No newline at end of file +| **admin_SSH_key** | The SSH public key for SSH connections to the instance.
Used when the authentication_type is 'SSH Public Key' | string | **Default:** "" | +| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`virtual-network`
`network-security-group`
`network-interface`
`public-ip`
`route-table`
`storage-account`
`virtual-machine`
`custom-image`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} | \ No newline at end of file diff --git a/modules/mds_new_vnet/locals.tf b/modules/mds_new_vnet/locals.tf index 20053eb..803352d 100755 --- a/modules/mds_new_vnet/locals.tf +++ b/modules/mds_new_vnet/locals.tf @@ -1,4 +1,4 @@ locals { module_name = "mds_terraform_registry" - module_version = "1.0.5" + module_version = "1.0.6" } diff --git a/modules/mds_new_vnet/main.tf b/modules/mds_new_vnet/main.tf index 328e806..c9dd7f4 100755 --- a/modules/mds_new_vnet/main.tf +++ b/modules/mds_new_vnet/main.tf @@ -19,6 +19,7 @@ module "common" { serial_console_password_hash = var.serial_console_password_hash maintenance_mode_password_hash = var.maintenance_mode_password_hash storage_account_additional_ips = var.storage_account_additional_ips + tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {})) } //********************** Networking **************************// @@ -32,6 +33,7 @@ module "vnet" { subnet_prefixes = [var.subnet_prefix] subnet_names = ["${var.mds_name}-subnet"] nsg_id = var.nsg_id == "" ? module.network_security_group[0].network_security_group_id: var.nsg_id + tags = var.tags } module "network_security_group" { @@ -138,6 +140,8 @@ module "network_security_group" { destination_address_prefix = "*" } ]) + + tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {})) } resource "azurerm_public_ip" "public-ip" { @@ -151,6 +155,8 @@ resource "azurerm_public_ip" "public-ip" { lower(var.mds_name), "-", random_id.randomId.hex]) + + tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) } resource "azurerm_network_interface_security_group_association" "security_group_association" { @@ -174,6 +180,8 @@ resource "azurerm_network_interface" "nic" { private_ip_address = cidrhost(var.subnet_prefix, 4) public_ip_address_id = azurerm_public_ip.public-ip.id } + + tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) } //********************** Storage accounts **************************// @@ -202,7 +210,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { days = "15" } } - + tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {})) } //********************** Virtual Machines **************************// @@ -222,6 +230,8 @@ resource "azurerm_image" "custom-image" { os_state = "Generalized" blob_uri = var.source_image_vhd_uri } + + tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {})) } resource "azurerm_virtual_machine" "mds-vm-instance" { @@ -309,4 +319,6 @@ resource "azurerm_virtual_machine" "mds-vm-instance" { managed_disk_type = module.common.storage_account_type disk_size_gb = module.common.disk_size } + + tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {})) } diff --git a/modules/mds_new_vnet/variables.tf b/modules/mds_new_vnet/variables.tf index 29d4afe..d7935d0 100755 --- a/modules/mds_new_vnet/variables.tf +++ b/modules/mds_new_vnet/variables.tf @@ -254,3 +254,8 @@ variable "security_rules" { type = list(any) default = [] } +variable "tags" { + description = "Assign tags by resource." + type = map(map(string)) + default = {} +} diff --git a/modules/nva_into_existing_hub/README.md b/modules/nva_into_existing_hub/README.md index 7ac491f..6385b50 100755 --- a/modules/nva_into_existing_hub/README.md +++ b/modules/nva_into_existing_hub/README.md @@ -22,7 +22,7 @@ provider "azurerm" { module "example_module" { source = "CheckPointSW/cloudguard-network-security/azure//modules/nva_into_existing_hub" - version = "1.0.5" + version = "1.0.6" authentication_method = "Service Principal" client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" @@ -92,7 +92,4 @@ module "example_module" { | **smart1-cloud-token-c** | Smart-1 Cloud token to connect automatically ***NVA instance c*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal. | | **smart1-cloud-token-d** | Smart-1 Cloud token to connect automatically ***NVA instance d*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal. | | **smart1-cloud-token-e** | Smart-1 Cloud token to connect automatically ***NVA instance e*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal. | - - - - +| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group` (Applies tags to managed application resource group)
`managed-identity` (Applies tags to the managed identity of the managed application)
`managed-application`
`routing-intent`
`network-virtual-appliance`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} | \ No newline at end of file diff --git a/modules/nva_into_existing_hub/main.tf b/modules/nva_into_existing_hub/main.tf index 5c1b4c1..3173004 100755 --- a/modules/nva_into_existing_hub/main.tf +++ b/modules/nva_into_existing_hub/main.tf @@ -2,6 +2,7 @@ resource "azurerm_resource_group" "managed-app-rg" { name = var.resource-group-name location = var.location + tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {})) } data "azurerm_virtual_hub" "vwan-hub" { @@ -95,6 +96,7 @@ resource "azurerm_user_assigned_identity" "managed_app_identity" { location = azurerm_resource_group.managed-app-rg.location name = "managed_app_identity" resource_group_name = azurerm_resource_group.managed-app-rg.name + tags = merge(lookup(var.tags, "managed-identity", {}), lookup(var.tags, "all", {})) } resource "azurerm_role_assignment" "reader" { @@ -223,11 +225,18 @@ resource "azapi_resource" "managed-app" { }, templateName = { value = "wan_terraform_registry" + }, + tags = { + value = { + "Microsoft.Network/networkVirtualAppliances" = merge(lookup(var.tags, "network-virtual-appliance", {}), lookup(var.tags, "all", {})) + } } }, managedResourceGroupId = "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}" } } + + tags = merge(lookup(var.tags, "managed-application", {}), lookup(var.tags, "all", {})) } //********************** Routing Intent **************************// @@ -262,6 +271,8 @@ resource "azapi_resource" "routing_intent" { routingPolicies = local.routing-intent-policies } } + + tags = merge(lookup(var.tags, "routing-intent", {}), lookup(var.tags, "all", {})) } resource "azapi_update_resource" "update_routing_intent" { diff --git a/modules/nva_into_existing_hub/variables.tf b/modules/nva_into_existing_hub/variables.tf index e2c5c63..bac2136 100755 --- a/modules/nva_into_existing_hub/variables.tf +++ b/modules/nva_into_existing_hub/variables.tf @@ -1,6 +1,6 @@ variable "authentication_method" { description = "Azure authentication method" - type = string + type = string validation { condition = contains(["Azure CLI", "Service Principal"], var.authentication_method) error_message = "Valid values for authentication_method are 'Azure CLI','Service Principal'" @@ -9,22 +9,22 @@ variable "authentication_method" { variable "subscription_id" { description = "Subscription ID" - type = string + type = string } variable "tenant_id" { description = "Tenant ID" - type = string + type = string } variable "client_id" { description = "Application ID(Client ID)" - type = string + type = string } variable "client_secret" { description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." - type = string + type = string } variable "resource-group-name" { @@ -43,11 +43,11 @@ variable "managed-app-name" { } variable "vwan-hub-name" { - type = string + type = string } variable "vwan-hub-resource-group" { - type = string + type = string } variable "nva-rg-name" { @@ -62,10 +62,10 @@ variable "nva-name" { variable "os-version" { description = "GAIA OS version" - type = string - default = "R82" + type = string + default = "R82" validation { - condition = contains(["R8110", "R8120", "R82"], var.os-version) + condition = contains(["R8110", "R8120", "R82"], var.os-version) error_message = "Allowed values for os-version are 'R8110', 'R8120', 'R82'" } } @@ -107,7 +107,7 @@ variable "sic-key" { default = "" sensitive = true validation { - condition = can(regex("^[a-z0-9A-Z]{8,30}$", var.sic-key)) + condition = can(regex("^[a-z0-9A-Z]{8,30}$", var.sic-key)) error_message = "Only alphanumeric characters are allowed, and the value must be 8-30 characters long." } } @@ -121,7 +121,7 @@ variable "bgp-asn" { type = string default = "64512" validation { - condition = tonumber(var.bgp-asn) >= 64512 && tonumber(var.bgp-asn) <= 65534 && !contains([65515, 65520], tonumber(var.bgp-asn)) + condition = tonumber(var.bgp-asn) >= 64512 && tonumber(var.bgp-asn) <= 65534 && !contains([65515, 65520], tonumber(var.bgp-asn)) error_message = "Only numbers between 64512 to 65534 are allowed excluding 65515, 65520." } } @@ -177,44 +177,28 @@ variable "smart1-cloud-token-e" { } variable "existing-public-ip" { - type = string - default = "" + type = string + default = "" } variable "new-public-ip" { - type = string + type = string default = "no" - validation { + validation { condition = contains(["yes", "no"], var.new-public-ip) error_message = "Valid options are string('yes' or 'no')" } } -locals{ +locals { # Validate that new-public-ip is false when existing-public-ip is used - is_both_params_used = length(var.existing-public-ip) > 0 && var.new-public-ip == "yes" + is_both_params_used = length(var.existing-public-ip) > 0 && var.new-public-ip == "yes" validation_message_both = "Only one parameter of existing-public-ip or new-public-ip can be used" - _ = regex("^$", (!local.is_both_params_used ? "" : local.validation_message_both)) + _ = regex("^$", (!local.is_both_params_used ? "" : local.validation_message_both)) } -variable "plan_product" { - description = "Use the following plan when deploying with terraform: cp-vwan-managed-app" - type = string - default = "cp-vwan-managed-app" +variable "tags" { + description = "Assign tags by resource." + type = map(map(string)) + default = {} } - -variable "plan_version" { - description = "Use the latest version of the managed application (e.g., 1.0.23) for best results. Full version list: https://support.checkpoint.com/results/sk/sk132192" - type = string - default = "1.0.23" -} - -variable "custom_license_type" { - description = "License type when using staged image." - type = string - default = "" - validation { - condition = contains(["", "ngtp", "ngtx", "premium"], var.custom_license_type) - error_message = "Valid options are 'ngtp', 'ngtx', or 'premium' or empty." - } -} \ No newline at end of file diff --git a/modules/nva_into_new_vwan/README.md b/modules/nva_into_new_vwan/README.md index 4997749..000b656 100755 --- a/modules/nva_into_new_vwan/README.md +++ b/modules/nva_into_new_vwan/README.md @@ -24,7 +24,7 @@ provider "azurerm" { module "example_module" { source = "CheckPointSW/cloudguard-network-security/azure//modules/nva_into_new_vwan" - version = "1.0.5" + version = "1.0.6" authentication_method = "Service Principal" client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" @@ -100,3 +100,4 @@ module "example_module" { | **smart1-cloud-token-e** | Smart-1 Cloud token to connect automatically ***NVA instance e*** to Check Point's Security Management as a Service.

Follow these instructions to quickly connect this member to Smart-1 Cloud - [SK180501](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk180501) | string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal. | | **existing-public-ip** | Existing public IP reosurce to attach to the newly deployed NVA | string | A resource ID of the public IP resource. | | **new-public-ip** | Deploy a new public IP resource as part of the managed app and attach to the NVA | string | yes;
no. | +| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group` (Applies tags to managed application resource group)
`virtual-wan`
`virtual-hub`
`managed-identity` (Applies tags to the managed identity of the managed application)
`managed-application`
`routing-intent`
`network-virtual-appliance`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} | \ No newline at end of file diff --git a/modules/nva_into_new_vwan/main.tf b/modules/nva_into_new_vwan/main.tf index f39dbb6..70c65cc 100755 --- a/modules/nva_into_new_vwan/main.tf +++ b/modules/nva_into_new_vwan/main.tf @@ -2,12 +2,14 @@ resource "azurerm_resource_group" "managed-app-rg" { name = var.resource-group-name location = var.location + tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {})) } resource "azurerm_virtual_wan" "vwan" { name = var.vwan-name resource_group_name = azurerm_resource_group.managed-app-rg.name location = var.location + tags = merge(lookup(var.tags, "virtual-wan", {}), lookup(var.tags, "all", {})) } resource "azurerm_virtual_hub" "vwan-hub" { @@ -16,17 +18,18 @@ resource "azurerm_virtual_hub" "vwan-hub" { location = azurerm_resource_group.managed-app-rg.location address_prefix = var.vwan-hub-address-prefix virtual_wan_id = azurerm_virtual_wan.vwan.id + tags = merge(lookup(var.tags, "virtual-hub", {}), lookup(var.tags, "all", {})) } //********************** Image Version **************************// data "external" "az_access_token" { - count = var.authentication_method == "Azure CLI" ? 1 : 0 + count = var.authentication_method == "Azure CLI" ? 1 : 0 program = ["az", "account", "get-access-token", "--resource=https://management.azure.com", "--query={accessToken: accessToken}", "--output=json"] } data "http" "azure_auth" { - count = var.authentication_method == "Service Principal" ? 1 : 0 + count = var.authentication_method == "Service Principal" ? 1 : 0 url = "https://login.microsoftonline.com/${var.tenant_id}/oauth2/v2.0/token" method = "POST" request_headers = { @@ -41,46 +44,46 @@ locals { data "http" "image-versions" { method = "GET" - url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.Network/networkVirtualApplianceSKUs/checkpoint${var.license-type == "Full Package (NGTX and Smart1-Cloud)" ? "-ngtx" : var.license-type == "Full Package Premium (NGTX and Smart1-Cloud Premium)" ? "-premium" : ""}?api-version=2020-05-01" + url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.Network/networkVirtualApplianceSKUs/checkpoint${var.license-type == "Full Package (NGTX and Smart1-Cloud)" ? "-ngtx" : var.license-type == "Full Package Premium (NGTX and Smart1-Cloud Premium)" ? "-premium" : ""}?api-version=2020-05-01" request_headers = { - Accept = "application/json" + Accept = "application/json" "Authorization" = "Bearer ${local.access_token}" } } locals { - image_versions = tolist([for version in jsondecode(data.http.image-versions.response_body).properties.availableVersions : version if substr(version, 0, 4) == substr(lower(length(var.os-version) > 3 ? var.os-version : "${var.os-version}00"), 1, 4)]) - routing_intent-internet-policy = { - "name": "InternetTraffic", - "destinations": [ - "Internet" - ], - "nextHop": "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva-name}" - } - routing_intent-private-policy = { - "name": "PrivateTrafficPolicy", - "destinations": [ - "PrivateTraffic" - ], - "nextHop": "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva-name}" - } - routing-intent-policies = var.routing-intent-internet-traffic == "yes" ? (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-internet-policy, local.routing_intent-private-policy]) : tolist([local.routing_intent-internet-policy])) : (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-private-policy]) : []) - public_ip_resource_group = "/subscriptions/${var.subscription_id}/resourceGroups/${var.new-public-ip == "yes" ? azurerm_resource_group.managed-app-rg.name : var.existing-public-ip != "" ? split("/", var.existing-public-ip)[4] : ""}" + image_versions = tolist([for version in jsondecode(data.http.image-versions.response_body).properties.availableVersions : version if substr(version, 0, 4) == substr(lower(length(var.os-version) > 3 ? var.os-version : "${var.os-version}00"), 1, 4)]) + routing_intent-internet-policy = { + "name" : "InternetTraffic", + "destinations" : [ + "Internet" + ], + "nextHop" : "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva-name}" + } + routing_intent-private-policy = { + "name" : "PrivateTrafficPolicy", + "destinations" : [ + "PrivateTraffic" + ], + "nextHop" : "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}/providers/Microsoft.Network/networkVirtualAppliances/${var.nva-name}" + } + routing-intent-policies = var.routing-intent-internet-traffic == "yes" ? (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-internet-policy, local.routing_intent-private-policy]) : tolist([local.routing_intent-internet-policy])) : (var.routing-intent-private-traffic == "yes" ? tolist([local.routing_intent-private-policy]) : []) + public_ip_resource_group = "/subscriptions/${var.subscription_id}/resourceGroups/${var.new-public-ip == "yes" ? azurerm_resource_group.managed-app-rg.name : var.existing-public-ip != "" ? split("/", var.existing-public-ip)[4] : ""}" } //********************** Marketplace Terms & Solution Registration **************************// data "http" "accept-marketplace-terms-existing-agreement" { method = "GET" - url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.MarketplaceOrdering/agreements/checkpoint/offers/cp-vwan-managed-app/plans/vwan-app?api-version=2021-01-01" + url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.MarketplaceOrdering/agreements/checkpoint/offers/cp-vwan-managed-app/plans/vwan-app?api-version=2021-01-01" request_headers = { - Accept = "application/json" + Accept = "application/json" "Authorization" = "Bearer ${local.access_token}" } } resource "azurerm_marketplace_agreement" "accept-marketplace-terms" { - count = can(jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).id) ? (jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).properties.state == "Active" ? 0 : 1) : 1 + count = can(jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).id) ? (jsondecode(data.http.accept-marketplace-terms-existing-agreement.response_body).properties.state == "Active" ? 0 : 1) : 1 publisher = "checkpoint" offer = var.plan_product plan = "vwan-app" @@ -89,16 +92,16 @@ resource "azurerm_marketplace_agreement" "accept-marketplace-terms" { data "http" "azurerm_resource_provider_registration-exist" { method = "GET" - url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.Solutions?api-version=2021-01-01" + url = "https://management.azure.com/subscriptions/${var.subscription_id}/providers/Microsoft.Solutions?api-version=2021-01-01" request_headers = { - Accept = "application/json" + Accept = "application/json" "Authorization" = "Bearer ${local.access_token}" } } resource "azurerm_resource_provider_registration" "solutions" { count = jsondecode(data.http.azurerm_resource_provider_registration-exist.response_body).registrationState == "Registered" ? 0 : 1 - name = "Microsoft.Solutions" + name = "Microsoft.Solutions" } //********************** Managed Identity **************************// @@ -106,10 +109,11 @@ resource "azurerm_user_assigned_identity" "managed_app_identity" { location = azurerm_resource_group.managed-app-rg.location name = "managed_app_identity" resource_group_name = azurerm_resource_group.managed-app-rg.name + tags = merge(lookup(var.tags, "managed-identity", {}), lookup(var.tags, "all", {})) } resource "azurerm_role_assignment" "reader" { - depends_on = [azurerm_user_assigned_identity.managed_app_identity] + depends_on = [azurerm_user_assigned_identity.managed_app_identity] scope = azurerm_virtual_hub.vwan-hub.id role_definition_name = "Reader" principal_id = azurerm_user_assigned_identity.managed_app_identity.principal_id @@ -123,9 +127,9 @@ resource "random_id" "randomId" { } resource "azurerm_role_definition" "public-ip-join-role" { - count = var.new-public-ip == "yes" || length(var.existing-public-ip) > 0 ? 1 : 0 - name = "Managed Application Public IP Join Role - ${random_id.randomId.hex}" - scope = local.public_ip_resource_group + count = var.new-public-ip == "yes" || length(var.existing-public-ip) > 0 ? 1 : 0 + name = "Managed Application Public IP Join Role - ${random_id.randomId.hex}" + scope = local.public_ip_resource_group permissions { actions = ["Microsoft.Network/publicIPAddresses/join/action"] not_actions = [] @@ -134,8 +138,8 @@ resource "azurerm_role_definition" "public-ip-join-role" { } resource "azurerm_role_assignment" "public-ip-join-role-assignment" { - count = var.new-public-ip == "yes" || length(var.existing-public-ip) > 0 ? 1 : 0 - scope = local.public_ip_resource_group + count = var.new-public-ip == "yes" || length(var.existing-public-ip) > 0 ? 1 : 0 + scope = local.public_ip_resource_group role_definition_id = azurerm_role_definition.public-ip-join-role[0].role_definition_resource_id principal_id = azurerm_user_assigned_identity.managed_app_identity.principal_id } @@ -143,120 +147,126 @@ resource "azurerm_role_assignment" "public-ip-join-role-assignment" { //********************** Managed Application Configuration **************************// resource "azapi_resource" "managed-app" { depends_on = [azurerm_marketplace_agreement.accept-marketplace-terms, azurerm_resource_provider_registration.solutions] - type = "Microsoft.Solutions/applications@2019-07-01" - name = var.managed-app-name - location = azurerm_resource_group.managed-app-rg.location - parent_id = azurerm_resource_group.managed-app-rg.id + type = "Microsoft.Solutions/applications@2019-07-01" + name = var.managed-app-name + location = azurerm_resource_group.managed-app-rg.location + parent_id = azurerm_resource_group.managed-app-rg.id body = { - kind = "MarketPlace", - plan = { - name = "vwan-app" - product = var.plan_product - publisher = "checkpoint" - version = var.plan_version - }, - identity = { - type = "UserAssigned" - userAssignedIdentities = { + kind = "MarketPlace", + plan = { + name = "vwan-app" + product = var.plan_product + publisher = "checkpoint" + version = var.plan_version + }, + identity = { + type = "UserAssigned" + userAssignedIdentities = { (azurerm_user_assigned_identity.managed_app_identity.id) = {} } - }, - properties = { - parameters = { - location = { - value = azurerm_resource_group.managed-app-rg.location - }, - hubId = { - value = azurerm_virtual_hub.vwan-hub.id - }, - osVersion = { - value = var.os-version - }, - LicenseType = { - value = var.license-type - }, - imageVersion = { - value = element(local.image_versions, length(local.image_versions) -1) - }, - scaleUnit = { - value = var.scale-unit - }, - bootstrapScript = { - value = var.bootstrap-script - }, - adminShell = { - value = var.admin-shell - }, - sicKey = { - value = var.sic-key - }, - sshPublicKey = { - value = var.admin_SSH_key - }, - BGP = { - value = var.bgp-asn - }, - NVA = { - value = var.nva-name - }, - customMetrics = { - value = var.custom-metrics - }, - hubASN = { - value = azurerm_virtual_hub.vwan-hub.virtual_router_asn - }, - hubPeers = { - value = azurerm_virtual_hub.vwan-hub.virtual_router_ips - }, - smart1CloudTokenA = { - value = var.smart1-cloud-token-a - }, - smart1CloudTokenB = { - value = var.smart1-cloud-token-b - }, - smart1CloudTokenC = { - value = var.smart1-cloud-token-c - }, - smart1CloudTokenD = { - value = var.smart1-cloud-token-d - }, - smart1CloudTokenE = { - value = var.smart1-cloud-token-e - }, - publicIPIngress = { - value = (var.new-public-ip == "yes" || length(var.existing-public-ip) > 0) ? "yes" : "no" - }, - createNewIPIngress = { - value = var.new-public-ip - }, - ipIngressExistingResourceId = { - value = var.existing-public-ip - }, - templateName = { - value = "wan_terraform_registry" - }, - customLicenseType = { - value = var.custom_license_type - } - }, - managedResourceGroupId = "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}" - } + }, + properties = { + parameters = { + location = { + value = azurerm_resource_group.managed-app-rg.location + }, + hubId = { + value = azurerm_virtual_hub.vwan-hub.id + }, + osVersion = { + value = var.os-version + }, + LicenseType = { + value = var.license-type + }, + imageVersion = { + value = element(local.image_versions, length(local.image_versions) - 1) + }, + scaleUnit = { + value = var.scale-unit + }, + bootstrapScript = { + value = var.bootstrap-script + }, + adminShell = { + value = var.admin-shell + }, + sicKey = { + value = var.sic-key + }, + sshPublicKey = { + value = var.admin_SSH_key + }, + BGP = { + value = var.bgp-asn + }, + NVA = { + value = var.nva-name + }, + customMetrics = { + value = var.custom-metrics + }, + hubASN = { + value = azurerm_virtual_hub.vwan-hub.virtual_router_asn + }, + hubPeers = { + value = azurerm_virtual_hub.vwan-hub.virtual_router_ips + }, + smart1CloudTokenA = { + value = var.smart1-cloud-token-a + }, + smart1CloudTokenB = { + value = var.smart1-cloud-token-b + }, + smart1CloudTokenC = { + value = var.smart1-cloud-token-c + }, + smart1CloudTokenD = { + value = var.smart1-cloud-token-d + }, + smart1CloudTokenE = { + value = var.smart1-cloud-token-e + }, + publicIPIngress = { + value = (var.new-public-ip == "yes" || length(var.existing-public-ip) > 0) ? "yes" : "no" + }, + createNewIPIngress = { + value = var.new-public-ip + }, + ipIngressExistingResourceId = { + value = var.existing-public-ip + }, + templateName = { + value = "wan_terraform_registry" + }, + tags = { + value = { + "Microsoft.Network/networkVirtualAppliances" = merge(lookup(var.tags, "network-virtual-appliance", {}), lookup(var.tags, "all", {})) + } + } + }, + managedResourceGroupId = "/subscriptions/${var.subscription_id}/resourcegroups/${var.nva-rg-name}" + } } + + tags = merge(lookup(var.tags, "managed-application", {}), lookup(var.tags, "all", {})) } //********************** Routing Intent **************************// resource "azapi_resource" "routing_intent" { - count = length(local.routing-intent-policies) != 0 ? 1 : 0 + count = length(local.routing-intent-policies) != 0 ? 1 : 0 depends_on = [azapi_resource.managed-app] - type = "Microsoft.Network/virtualHubs/routingIntent@2024-05-01" - name = "hubRoutingIntent" - parent_id = azurerm_virtual_hub.vwan-hub.id + type = "Microsoft.Network/virtualHubs/routingIntent@2024-05-01" + name = "hubRoutingIntent" + parent_id = azurerm_virtual_hub.vwan-hub.id body = { properties = { routingPolicies = local.routing-intent-policies } } -} \ No newline at end of file + + tags = merge(lookup(var.tags, "routing-intent", {}), lookup(var.tags, "all", {})) +} diff --git a/modules/nva_into_new_vwan/variables.tf b/modules/nva_into_new_vwan/variables.tf index 3c294b4..1cfb03e 100755 --- a/modules/nva_into_new_vwan/variables.tf +++ b/modules/nva_into_new_vwan/variables.tf @@ -1,6 +1,6 @@ variable "authentication_method" { description = "Azure authentication method" - type = string + type = string validation { condition = contains(["Azure CLI", "Service Principal"], var.authentication_method) error_message = "Valid values for authentication_method are 'Azure CLI','Service Principal'" @@ -9,22 +9,22 @@ variable "authentication_method" { variable "subscription_id" { description = "Subscription ID" - type = string + type = string } variable "tenant_id" { description = "Tenant ID" - type = string + type = string } variable "client_id" { description = "Application ID(Client ID)" - type = string + type = string } variable "client_secret" { description = "A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as application password." - type = string + type = string } variable "resource-group-name" { @@ -73,10 +73,10 @@ variable "nva-name" { variable "os-version" { description = "GAIA OS version" - type = string - default = "R82" + type = string + default = "R82" validation { - condition = contains(["R8110", "R8120", "R82"], var.os-version) + condition = contains(["R8110", "R8120", "R82"], var.os-version) error_message = "Allowed values for os-version are 'R8110', 'R8120', 'R82'" } } @@ -118,7 +118,7 @@ variable "sic-key" { default = "" sensitive = true validation { - condition = can(regex("^[a-z0-9A-Z]{8,30}$", var.sic-key)) + condition = can(regex("^[a-z0-9A-Z]{8,30}$", var.sic-key)) error_message = "Only alphanumeric characters are allowed, and the value must be 8-30 characters long." } } @@ -132,7 +132,7 @@ variable "bgp-asn" { type = string default = "64512" validation { - condition = tonumber(var.bgp-asn) >= 64512 && tonumber(var.bgp-asn) <= 65534 && !contains([65515, 65520], tonumber(var.bgp-asn)) + condition = tonumber(var.bgp-asn) >= 64512 && tonumber(var.bgp-asn) <= 65534 && !contains([65515, 65520], tonumber(var.bgp-asn)) error_message = "Only numbers between 64512 to 65534 are allowed excluding 65515, 65520." } } @@ -188,44 +188,28 @@ variable "smart1-cloud-token-e" { } variable "existing-public-ip" { - type = string - default = "" + type = string + default = "" } variable "new-public-ip" { - type = string + type = string default = "no" - validation { + validation { condition = contains(["yes", "no"], var.new-public-ip) error_message = "Valid options are string('yes' or 'no')" } } -locals{ +locals { # Validate that new-public-ip is false when existing-public-ip is used - is_both_params_used = length(var.existing-public-ip) > 0 && var.new-public-ip == "yes" + is_both_params_used = length(var.existing-public-ip) > 0 && var.new-public-ip == "yes" validation_message_both = "Only one parameter of existing-public-ip or new-public-ip can be used" - _ = regex("^$", (!local.is_both_params_used ? "" : local.validation_message_both)) + _ = regex("^$", (!local.is_both_params_used ? "" : local.validation_message_both)) } -variable "plan_product" { - description = "Use the following plan when deploying with terraform: cp-vwan-managed-app" - type = string - default = "cp-vwan-managed-app" -} - -variable "plan_version" { - description = "Use the latest version of the managed application (e.g., 1.0.23) for best results. Full version list: https://support.checkpoint.com/results/sk/sk132192" - type = string - default = "1.0.23" +variable "tags" { + description = "Assign tags by resource." + type = map(map(string)) + default = {} } - -variable "custom_license_type" { - description = "License type when using staged image." - type = string - default = "" - validation { - condition = contains(["", "ngtp", "ngtx", "premium"], var.custom_license_type) - error_message = "Valid options are 'ngtp', 'ngtx', or 'premium' or empty." - } -} \ No newline at end of file diff --git a/modules/single_gateway_existing_vnet/README.md b/modules/single_gateway_existing_vnet/README.md index 64ba5e6..fb56ba7 100755 --- a/modules/single_gateway_existing_vnet/README.md +++ b/modules/single_gateway_existing_vnet/README.md @@ -23,7 +23,7 @@ provider "azurerm" { module "example_module" { source = "CheckPointSW/cloudguard-network-security/azure//modules/single_gateway_existing_vnet" - version = "1.0.5" + version = "1.0.6" source_image_vhd_uri = "noCustomUri" resource_group_name = "checkpoint-single-gw-terraform" @@ -99,4 +99,5 @@ module "example_module" { | **maintenance_mode_password_hash** | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here | string | | | **nsg_id** | Optional ID for a Network Security Group that already exists in Azure, if not provided, will create a default NSG | string | Existing NSG resource ID.
**Default:** "" | | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false.
**Default:** false | -| **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs.
**Default:** [] | \ No newline at end of file +| **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs.
**Default:** [] | +| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`network-security-group`
`network-interface`
`public-ip`
`storage-account`
`virtual-machine`
`custom-image`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} | \ No newline at end of file diff --git a/modules/single_gateway_existing_vnet/locals.tf b/modules/single_gateway_existing_vnet/locals.tf index f9af94a..57ecef8 100755 --- a/modules/single_gateway_existing_vnet/locals.tf +++ b/modules/single_gateway_existing_vnet/locals.tf @@ -1,4 +1,4 @@ locals { module_name = "single_terraform_registry" - module_version = "1.0.5" + module_version = "1.0.6" } diff --git a/modules/single_gateway_existing_vnet/main.tf b/modules/single_gateway_existing_vnet/main.tf index 9891a59..8ec47c1 100755 --- a/modules/single_gateway_existing_vnet/main.tf +++ b/modules/single_gateway_existing_vnet/main.tf @@ -19,6 +19,7 @@ module "common" { serial_console_password_hash = var.serial_console_password_hash maintenance_mode_password_hash = var.maintenance_mode_password_hash storage_account_additional_ips = var.storage_account_additional_ips + tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {})) } //********************** Networking **************************// @@ -45,6 +46,8 @@ resource "azurerm_public_ip" "public-ip" { lower(var.single_gateway_name), "-", random_id.randomId.hex]) + + tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) } module "network_security_group" { @@ -54,6 +57,7 @@ module "network_security_group" { security_group_name = "${module.common.resource_group_name}-nsg" location = module.common.resource_group_location security_rules = var.security_rules + tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {})) } resource "azurerm_network_interface_security_group_association" "security_group_association" { @@ -79,6 +83,8 @@ resource "azurerm_network_interface" "nic" { private_ip_address = var.subnet_frontend_1st_Address public_ip_address_id = azurerm_public_ip.public-ip.id } + + tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) } resource "azurerm_network_interface" "nic1" { @@ -96,6 +102,8 @@ resource "azurerm_network_interface" "nic1" { private_ip_address_allocation = var.vnet_allocation_method private_ip_address = var.subnet_backend_1st_Address } + + tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) } //********************** Storage accounts **************************// @@ -125,6 +133,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { } } + tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {})) } //********************** Virtual Machines **************************// @@ -144,6 +153,8 @@ resource "azurerm_image" "custom-image" { os_state = "Generalized" blob_uri = var.source_image_vhd_uri } + + tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {})) } resource "azurerm_virtual_machine" "single-gateway-vm-instance" { @@ -232,4 +243,6 @@ resource "azurerm_virtual_machine" "single-gateway-vm-instance" { managed_disk_type = module.common.storage_account_type disk_size_gb = module.common.disk_size } + + tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {})) } diff --git a/modules/single_gateway_existing_vnet/variables.tf b/modules/single_gateway_existing_vnet/variables.tf index 1c2f588..b7a92ef 100755 --- a/modules/single_gateway_existing_vnet/variables.tf +++ b/modules/single_gateway_existing_vnet/variables.tf @@ -269,3 +269,9 @@ variable "security_rules" { } ] } + +variable "tags" { + description = "Assign tags by resource." + type = map(map(string)) + default = {} +} diff --git a/modules/single_gateway_new_vnet/README.md b/modules/single_gateway_new_vnet/README.md index bc34f48..e385934 100755 --- a/modules/single_gateway_new_vnet/README.md +++ b/modules/single_gateway_new_vnet/README.md @@ -25,7 +25,7 @@ provider "azurerm" { module "example_module" { source = "CheckPointSW/cloudguard-network-security/azure//modules/single_gateway_new_vnet" - version = "1.0.5" + version = "1.0.6" source_image_vhd_uri = "noCustomUri" resource_group_name = "checkpoint-single-gw-terraform" @@ -99,3 +99,4 @@ module "example_module" { | **security_rules** | SSecurity rules for the Network Security | list(any) | A security rule composed of: {name, priority, direction, access, protocol, source_port_ranges, destination_port_ranges, source_address_prefix, destination_address_prefix, description}
**Default:** [] | | **admin_SSH_key** | The SSH public key for SSH connections to the instance. Used when the authentication_type is 'SSH Public Key' | string | **Default:** "" | | **is_blink** | Define if blink image is used for deployment | boolean | true;
false;
**Default:** true | +| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`virtual-network`
`network-security-group`
`network-interface`
`public-ip`
`route-table`
`storage-account`
`virtual-machine`
`custom-image`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} | \ No newline at end of file diff --git a/modules/single_gateway_new_vnet/locals.tf b/modules/single_gateway_new_vnet/locals.tf index f9af94a..57ecef8 100755 --- a/modules/single_gateway_new_vnet/locals.tf +++ b/modules/single_gateway_new_vnet/locals.tf @@ -1,4 +1,4 @@ locals { module_name = "single_terraform_registry" - module_version = "1.0.5" + module_version = "1.0.6" } diff --git a/modules/single_gateway_new_vnet/main.tf b/modules/single_gateway_new_vnet/main.tf index cdb1506..6edf9f4 100755 --- a/modules/single_gateway_new_vnet/main.tf +++ b/modules/single_gateway_new_vnet/main.tf @@ -19,6 +19,7 @@ module "common" { serial_console_password_hash = var.serial_console_password_hash maintenance_mode_password_hash = var.maintenance_mode_password_hash storage_account_additional_ips = var.storage_account_additional_ips + tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {})) } //********************** Networking **************************// @@ -31,7 +32,8 @@ module "vnet" { address_space = var.address_space subnet_prefixes = [var.frontend_subnet_prefix, var.backend_subnet_prefix] subnet_names = ["${var.single_gateway_name}-frontend-subnet", "${var.single_gateway_name}-backend-subnet"] - nsg_id = var.nsg_id == "" ? module.network_security_group[0].network_security_group_id: var.nsg_id + nsg_id = var.nsg_id == "" ? module.network_security_group[0].network_security_group_id : var.nsg_id + tags = var.tags } module "network_security_group" { @@ -41,6 +43,7 @@ module "network_security_group" { security_group_name = "${module.common.resource_group_name}-nsg" location = module.common.resource_group_location security_rules = var.security_rules + tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {})) } resource "azurerm_public_ip" "public-ip" { @@ -54,6 +57,8 @@ resource "azurerm_public_ip" "public-ip" { lower(var.single_gateway_name), "-", random_id.randomId.hex]) + + tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) } resource "azurerm_network_interface_security_group_association" "security_group_association" { @@ -79,6 +84,8 @@ resource "azurerm_network_interface" "nic" { private_ip_address = cidrhost(var.frontend_subnet_prefix, 4) public_ip_address_id = azurerm_public_ip.public-ip.id } + + tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) } resource "azurerm_network_interface" "nic1" { @@ -96,6 +103,8 @@ resource "azurerm_network_interface" "nic1" { private_ip_address_allocation = var.vnet_allocation_method private_ip_address = cidrhost(var.backend_subnet_prefix, 4) } + + tags = merge(lookup(var.tags, "network-interface", {}), lookup(var.tags, "all", {})) } //********************** Storage accounts **************************// @@ -125,6 +134,7 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { } } + tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {})) } //********************** Virtual Machines **************************// @@ -144,6 +154,8 @@ resource "azurerm_image" "custom-image" { os_state = "Generalized" blob_uri = var.source_image_vhd_uri } + + tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {})) } resource "azurerm_virtual_machine" "single-gateway-vm-instance" { @@ -231,4 +243,6 @@ resource "azurerm_virtual_machine" "single-gateway-vm-instance" { managed_disk_type = module.common.storage_account_type disk_size_gb = module.common.disk_size } + + tags = merge(lookup(var.tags, "virtual-machine", {}), lookup(var.tags, "all", {})) } diff --git a/modules/single_gateway_new_vnet/variables.tf b/modules/single_gateway_new_vnet/variables.tf index 00c725d..2430f01 100755 --- a/modules/single_gateway_new_vnet/variables.tf +++ b/modules/single_gateway_new_vnet/variables.tf @@ -268,4 +268,10 @@ variable "admin_SSH_key" { type = string description = "(Optional) TheUsed when the authentication_type is 'SSH Public Key'. The SSH public key for SSH authentication to the template instances." default = "" -} \ No newline at end of file +} + +variable "tags" { + description = "Assign tags by resource." + type = map(map(string)) + default = {} +} diff --git a/modules/vmss_existing_vnet/README.md b/modules/vmss_existing_vnet/README.md index 68f9a53..f2da9da 100755 --- a/modules/vmss_existing_vnet/README.md +++ b/modules/vmss_existing_vnet/README.md @@ -24,7 +24,7 @@ provider "azurerm" { module "example_module" { source = "CheckPointSW/cloudguard-network-security/azure//modules/vmss_existing_vnet" - version = "1.0.5" + version = "1.0.6" subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" source_image_vhd_uri = "noCustomUri" @@ -144,4 +144,5 @@ module "example_module" { | **add_storage_account_ip_rules** | Add Storage Account IP rules that allow access to the Serial Console only for IPs based on their geographic location, if false then accses will be allowed from all networks | boolean | true;
false.
**Default:** false | | **storage_account_additional_ips** | IPs/CIDRs that are allowed access to the Storage Account | list(string) | A list of valid IPs and CIDRs.
**Default:** [] | | **security_rules** | Security rules for the Network Security | list(any) | A list of valid security rules values.
A security rule composed of:
{name, priority, direction, access, protocol, source_port_ranges, destination_port_ranges, source_address_prefix, destination_address_prefix, description}.
**Default:** [{"name":"AllowAllInBound", "priority":"100", "direction":"Inbound", "access":"Allow", "protocol":"*", "source_port_ranges":"*", "destination_port_ranges":"", "description":"Allow all inbound connections", "source_address_prefix":"*", "destination_address_prefix":""}] | -| **admin_SSH_key** | The SSH public key for SSH connections to the instance.
Used when the authentication_type is 'SSH Public Key' | string | **Default:** "" | \ No newline at end of file +| **admin_SSH_key** | The SSH public key for SSH connections to the instance.
Used when the authentication_type is 'SSH Public Key' | string | **Default:** "" | +| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`network-security-group`
`network-interface`
`public-ip`
`public-ip-prefix`
`load-balancer`
`storage-account`
`virtual-machine-scale-set`
`custom-image`
`autoscale-setting`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} | \ No newline at end of file diff --git a/modules/vmss_existing_vnet/locals.tf b/modules/vmss_existing_vnet/locals.tf index 302d292..f55ca15 100755 --- a/modules/vmss_existing_vnet/locals.tf +++ b/modules/vmss_existing_vnet/locals.tf @@ -1,6 +1,6 @@ locals { module_name = "vmss_terraform_registry" - module_version = "1.0.5" + module_version = "1.0.6" // Validate that the minimum number of VM instances is at least 0. // If not, return an error message. @@ -17,4 +17,23 @@ locals { // Validate the number of VM instances against the minimum requirement. // If the number of instances is less than the minimum, return an error message. validate_number_of_vm_instances = local.number_of_vm_instances >= var.minimum_number_of_vm_instances? 0 : index("error: The number of VM instances must be at least ${var.minimum_number_of_vm_instances}.") + + vmss_tags = var.management_interface == "eth0" ? { + x-chkp-management = var.management_name, + x-chkp-template = var.configuration_template_name, + x-chkp-ip-address = local.management_ip_address_type, + x-chkp-management-interface = local.management_interface_name, + x-chkp-management-address = var.management_IP, + x-chkp-topology = "eth0:external,eth1:internal", + x-chkp-anti-spoofing = "eth0:false,eth1:false", + x-chkp-srcImageUri = var.source_image_vhd_uri + } : { + x-chkp-management = var.management_name, + x-chkp-template = var.configuration_template_name, + x-chkp-ip-address = local.management_ip_address_type, + x-chkp-management-interface = local.management_interface_name, + x-chkp-topology = "eth0:external,eth1:internal", + x-chkp-anti-spoofing = "eth0:false,eth1:false", + x-chkp-srcImageUri = var.source_image_vhd_uri + } } diff --git a/modules/vmss_existing_vnet/main.tf b/modules/vmss_existing_vnet/main.tf index 14dac00..1d28cdb 100755 --- a/modules/vmss_existing_vnet/main.tf +++ b/modules/vmss_existing_vnet/main.tf @@ -19,6 +19,7 @@ module "common" { serial_console_password_hash = var.serial_console_password_hash maintenance_mode_password_hash = var.maintenance_mode_password_hash storage_account_additional_ips = var.storage_account_additional_ips + tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {}), local.vmss_tags) } //********************** Networking **************************// @@ -42,6 +43,7 @@ module "network_security_group" { security_group_name = "${module.common.resource_group_name}_nsg" location = module.common.resource_group_location security_rules = var.security_rules + tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {})) } //********************** Load Balancers **************************// @@ -58,6 +60,7 @@ resource "azurerm_public_ip_prefix" "public_ip_prefix" { location = module.common.resource_group_location resource_group_name = module.common.resource_group_name prefix_length = 30 + tags = merge(lookup(var.tags, "public-ip-prefix", {}), lookup(var.tags, "all", {})) } resource "azurerm_public_ip" "public-ip-lb" { @@ -69,6 +72,7 @@ resource "azurerm_public_ip" "public-ip-lb" { sku = var.sku domain_name_label = "${lower(var.vmss_name)}-${random_id.random_id.hex}" public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null + tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) } resource "azurerm_lb" "frontend-lb" { @@ -83,6 +87,8 @@ resource "azurerm_lb" "frontend-lb" { name = "${var.vmss_name}-app-1" public_ip_address_id = azurerm_public_ip.public-ip-lb[0].id } + + tags = merge(lookup(var.tags, "load-balancer", {}), lookup(var.tags, "all", {})) } resource "azurerm_lb_backend_address_pool" "frontend-lb-pool" { @@ -103,6 +109,8 @@ resource "azurerm_lb" "backend-lb" { private_ip_address_allocation = "Static" private_ip_address = cidrhost(data.azurerm_subnet.backend.address_prefixes[0],var.backend_lb_IP_address) } + + tags = merge(lookup(var.tags, "load-balancer", {}), lookup(var.tags, "all", {})) } resource "azurerm_lb_backend_address_pool" "backend-lb-pool" { @@ -195,6 +203,8 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { days = "15" } } + + tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {})) } @@ -218,6 +228,8 @@ resource "azurerm_image" "custom-image" { os_state = "Generalized" blob_uri = var.source_image_vhd_uri } + + tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {})) } resource "azurerm_linux_virtual_machine_scale_set" "vmss" { @@ -335,24 +347,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "vmss" { } } - tags = var.management_interface == "eth0"?{ - x-chkp-management = var.management_name, - x-chkp-template = var.configuration_template_name, - x-chkp-ip-address = local.management_ip_address_type, - x-chkp-management-interface = local.management_interface_name, - x-chkp-management-address = var.management_IP, - x-chkp-topology = "eth0:external,eth1:internal", - x-chkp-anti-spoofing = "eth0:false,eth1:false", - x-chkp-srcImageUri = var.source_image_vhd_uri - }:{ - x-chkp-management = var.management_name, - x-chkp-template = var.configuration_template_name, - x-chkp-ip-address = local.management_ip_address_type, - x-chkp-management-interface = local.management_interface_name, - x-chkp-topology = "eth0:external,eth1:internal", - x-chkp-anti-spoofing = "eth0:false,eth1:false", - x-chkp-srcImageUri = var.source_image_vhd_uri - } + tags = merge(lookup(var.tags, "virtual-machine-scale-set", {}), lookup(var.tags, "all", {}), local.vmss_tags) } resource "azurerm_monitor_autoscale_setting" "vmss_settings" { @@ -419,6 +414,8 @@ resource "azurerm_monitor_autoscale_setting" "vmss_settings" { custom_emails = var.notification_email == "" ? [] : [var.notification_email] } } + + tags = merge(lookup(var.tags, "autoscale-setting", {}), lookup(var.tags, "all", {})) } resource "azurerm_role_assignment" "custom_metrics_role_assignment"{ diff --git a/modules/vmss_existing_vnet/variables.tf b/modules/vmss_existing_vnet/variables.tf index ab88499..8a2fcf7 100755 --- a/modules/vmss_existing_vnet/variables.tf +++ b/modules/vmss_existing_vnet/variables.tf @@ -415,3 +415,9 @@ variable "security_rules" { } ] } + +variable "tags" { + description = "Assign tags by resource." + type = map(map(string)) + default = {} +} \ No newline at end of file diff --git a/modules/vmss_new_vnet/README.md b/modules/vmss_new_vnet/README.md index cf44905..b333d89 100755 --- a/modules/vmss_new_vnet/README.md +++ b/modules/vmss_new_vnet/README.md @@ -29,7 +29,7 @@ provider "azurerm" { module "example_module" { source = "CheckPointSW/cloudguard-network-security/azure//modules/vmss_new_vnet" - version = "1.0.5" + version = "1.0.6" subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" source_image_vhd_uri = "noCustomUri" @@ -145,3 +145,4 @@ module "example_module" { | **security_rules** | SSecurity rules for the Network Security | list(any) | A security rule composed of: {name, priority, direction, access, protocol, source_port_ranges, destination_port_ranges, source_address_prefix, destination_address_prefix, description}
**Default:** [] | | **admin_SSH_key** | The SSH public key for SSH connections to the instance. Used when the authentication_type is 'SSH Public Key' | string | **Default:** "" | | **is_blink** | Define if blink image is used for deployment | boolean | true;
false;
**Default:** true | +| **tags** | Tags can be associated either globally across all resources or scoped to specific resource types. For example, a global tag can be defined as: {"all": {"example": "example"}}.
Supported resource types for tag assignment include:
`all` (Applies tags universally to all resource instances)
`resource-group`
`virtual-network`
`network-security-group`
`network-interface`
`public-ip`
`public-ip-prefix`
`load-balancer`
`route-table`
`storage-account`
`virtual-machine-scale-set`
`custom-image`
`autoscale-setting`
**Important:** When identical tag keys are defined both globally under `all` and within a specific resource scope, the tag value specified under `all` overrides the resource-specific tag. | map(map(string)) | {} | \ No newline at end of file diff --git a/modules/vmss_new_vnet/locals.tf b/modules/vmss_new_vnet/locals.tf index 302d292..f55ca15 100755 --- a/modules/vmss_new_vnet/locals.tf +++ b/modules/vmss_new_vnet/locals.tf @@ -1,6 +1,6 @@ locals { module_name = "vmss_terraform_registry" - module_version = "1.0.5" + module_version = "1.0.6" // Validate that the minimum number of VM instances is at least 0. // If not, return an error message. @@ -17,4 +17,23 @@ locals { // Validate the number of VM instances against the minimum requirement. // If the number of instances is less than the minimum, return an error message. validate_number_of_vm_instances = local.number_of_vm_instances >= var.minimum_number_of_vm_instances? 0 : index("error: The number of VM instances must be at least ${var.minimum_number_of_vm_instances}.") + + vmss_tags = var.management_interface == "eth0" ? { + x-chkp-management = var.management_name, + x-chkp-template = var.configuration_template_name, + x-chkp-ip-address = local.management_ip_address_type, + x-chkp-management-interface = local.management_interface_name, + x-chkp-management-address = var.management_IP, + x-chkp-topology = "eth0:external,eth1:internal", + x-chkp-anti-spoofing = "eth0:false,eth1:false", + x-chkp-srcImageUri = var.source_image_vhd_uri + } : { + x-chkp-management = var.management_name, + x-chkp-template = var.configuration_template_name, + x-chkp-ip-address = local.management_ip_address_type, + x-chkp-management-interface = local.management_interface_name, + x-chkp-topology = "eth0:external,eth1:internal", + x-chkp-anti-spoofing = "eth0:false,eth1:false", + x-chkp-srcImageUri = var.source_image_vhd_uri + } } diff --git a/modules/vmss_new_vnet/main.tf b/modules/vmss_new_vnet/main.tf index 76b226a..f69289e 100755 --- a/modules/vmss_new_vnet/main.tf +++ b/modules/vmss_new_vnet/main.tf @@ -1,3 +1,7 @@ +provider "azurerm" { + features {} +} + //********************** Basic Configuration **************************// module "common" { source = "../common" @@ -19,6 +23,7 @@ module "common" { serial_console_password_hash = var.serial_console_password_hash maintenance_mode_password_hash = var.maintenance_mode_password_hash storage_account_additional_ips = var.storage_account_additional_ips + tags = merge(lookup(var.tags, "resource-group", {}), lookup(var.tags, "all", {})) } //********************** Networking **************************// @@ -30,6 +35,7 @@ module "vnet" { nsg_id = var.nsg_id == "" ? module.network_security_group[0].network_security_group_id: var.nsg_id address_space = var.address_space subnet_prefixes = var.subnet_prefixes + tags = var.tags } module "network_security_group" { @@ -39,6 +45,7 @@ module "network_security_group" { security_group_name = "${module.common.resource_group_name}_nsg" location = module.common.resource_group_location security_rules = var.security_rules + tags = merge(lookup(var.tags, "network-security-group", {}), lookup(var.tags, "all", {})) } //********************** Load Balancers **************************// @@ -55,6 +62,7 @@ resource "azurerm_public_ip_prefix" "public_ip_prefix" { location = module.common.resource_group_location resource_group_name = module.common.resource_group_name prefix_length = 30 + tags = merge(lookup(var.tags, "public-ip-prefix", {}), lookup(var.tags, "all", {})) } resource "azurerm_public_ip" "public-ip-lb" { @@ -66,6 +74,7 @@ resource "azurerm_public_ip" "public-ip-lb" { sku = var.sku domain_name_label = "${lower(var.vmss_name)}-${random_id.random_id.hex}" public_ip_prefix_id = var.use_public_ip_prefix ? (var.create_public_ip_prefix ? azurerm_public_ip_prefix.public_ip_prefix[0].id : var.existing_public_ip_prefix_id) : null + tags = merge(lookup(var.tags, "public-ip", {}), lookup(var.tags, "all", {})) } resource "azurerm_lb" "frontend-lb" { @@ -80,6 +89,8 @@ resource "azurerm_lb" "frontend-lb" { name = "${var.vmss_name}-app-1" public_ip_address_id = azurerm_public_ip.public-ip-lb[0].id } + + tags = merge(lookup(var.tags, "load-balancer", {}), lookup(var.tags, "all", {})) } resource "azurerm_lb_backend_address_pool" "frontend-lb-pool" { @@ -100,6 +111,8 @@ resource "azurerm_lb" "backend-lb" { private_ip_address_allocation = module.vnet.allocation_method private_ip_address = cidrhost(module.vnet.subnet_prefixes[1], var.backend_lb_IP_address) } + + tags = merge(lookup(var.tags, "load-balancer", {}), lookup(var.tags, "all", {})) } resource "azurerm_lb_backend_address_pool" "backend-lb-pool" { @@ -192,6 +205,8 @@ resource "azurerm_storage_account" "vm-boot-diagnostics-storage" { days = "15" } } + + tags = merge(lookup(var.tags, "storage-account", {}), lookup(var.tags, "all", {})) } //********************** Virtual Machines **************************// @@ -214,6 +229,8 @@ resource "azurerm_image" "custom-image" { os_state = "Generalized" blob_uri = var.source_image_vhd_uri } + + tags = merge(lookup(var.tags, "custom-image", {}), lookup(var.tags, "all", {})) } resource "azurerm_linux_virtual_machine_scale_set" "vmss" { @@ -330,24 +347,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "vmss" { } } - tags = var.management_interface == "eth0"?{ - x-chkp-management = var.management_name, - x-chkp-template = var.configuration_template_name, - x-chkp-ip-address = local.management_ip_address_type, - x-chkp-management-interface = local.management_interface_name, - x-chkp-management-address = var.management_IP, - x-chkp-topology = "eth0:external,eth1:internal", - x-chkp-anti-spoofing = "eth0:false,eth1:false", - x-chkp-srcImageUri = var.source_image_vhd_uri - }:{ - x-chkp-management = var.management_name, - x-chkp-template = var.configuration_template_name, - x-chkp-ip-address = local.management_ip_address_type, - x-chkp-management-interface = local.management_interface_name, - x-chkp-topology = "eth0:external,eth1:internal", - x-chkp-anti-spoofing = "eth0:false,eth1:false", - x-chkp-srcImageUri = var.source_image_vhd_uri - } + tags = merge(lookup(var.tags, "virtual-machine-scale-set", {}), lookup(var.tags, "all", {}), local.vmss_tags) } resource "azurerm_monitor_autoscale_setting" "vmss_settings" { @@ -414,6 +414,8 @@ resource "azurerm_monitor_autoscale_setting" "vmss_settings" { custom_emails = var.notification_email == "" ? [] : [var.notification_email] } } + + tags = merge(lookup(var.tags, "autoscale-setting", {}), lookup(var.tags, "all", {})) } resource "azurerm_role_assignment" "custom_metrics_role_assignment"{ diff --git a/modules/vmss_new_vnet/variables.tf b/modules/vmss_new_vnet/variables.tf index ecf269c..da6b93e 100755 --- a/modules/vmss_new_vnet/variables.tf +++ b/modules/vmss_new_vnet/variables.tf @@ -404,3 +404,9 @@ variable "security_rules" { } ] } + +variable "tags" { + description = "Assign tags by resource." + type = map(map(string)) + default = {} +} \ No newline at end of file diff --git a/modules/vnet/main.tf b/modules/vnet/main.tf index f4665fe..b9edafa 100755 --- a/modules/vnet/main.tf +++ b/modules/vnet/main.tf @@ -4,7 +4,7 @@ resource "azurerm_virtual_network" "vnet" { address_space = [var.address_space] resource_group_name = var.resource_group_name dns_servers = var.dns_servers - tags = var.tags + tags = merge(lookup(var.tags, "virtual-network", {}), lookup(var.tags, "all", {})) } resource "azurerm_subnet" "subnet" { @@ -55,6 +55,8 @@ resource "azurerm_route_table" "frontend" { next_hop_type = local.next_hop_type_allowed_values[3] next_hop_in_ip_address = join(".", [for i, v in split(".", element(split("/", azurerm_subnet.subnet[0].address_prefixes[0]), 0)) : i == 3 ? tostring(tonumber(v) + 4) : v]) } + + tags = merge(lookup(var.tags, "route-table", {}), lookup(var.tags, "all", {})) } resource "azurerm_subnet_route_table_association" "frontend_association" { @@ -74,6 +76,8 @@ resource "azurerm_route_table" "backend" { next_hop_type = local.next_hop_type_allowed_values[3] next_hop_in_ip_address = join(".", [for i, v in split(".", element(split("/", azurerm_subnet.subnet[1].address_prefixes[0]), 0)) : i == 3 ? tostring(tonumber(v) + 4) : v]) } + + tags = merge(lookup(var.tags, "route-table", {}), lookup(var.tags, "all", {})) } resource "azurerm_subnet_route_table_association" "backend_association" { diff --git a/modules/vnet/variables.tf b/modules/vnet/variables.tf index 1f64d28..3a34972 100755 --- a/modules/vnet/variables.tf +++ b/modules/vnet/variables.tf @@ -40,7 +40,7 @@ variable "subnet_names" { variable "tags" { description = "Tags to be associated with Virtual Network and subnets" - type = map(string) + type = map(map(string)) default = {} } variable "nsg_id" {