diff --git a/README.md b/README.md index 5302f64..4ba5948 100644 --- a/README.md +++ b/README.md @@ -1,15 +1,155 @@ -# Check Point CloudGuard Network Repository Overview -Check Point CloudGuard Network (formerly known as CloudGuard IaaS) repository. +![GitHub Wachers](https://img.shields.io/github/watchers/CheckPointSW/terraform-azure-cloudguard-network-security) +![GitHub Release](https://img.shields.io/github/v/release/CheckPointSW/terraform-azure-cloudguard-network-security) +![GitHub Commits Since Last Commit](https://img.shields.io/github/commits-since/CheckPointSW/terraform-azure-cloudguard-network-security/latest/master) +![GitHub Last Commit](https://img.shields.io/github/last-commit/CheckPointSW/terraform-azure-cloudguard-network-security/master) +![GitHub Repo Size](https://img.shields.io/github/repo-size/CheckPointSW/terraform-azure-cloudguard-network-security) +![GitHub Downloads](https://img.shields.io/github/downloads/CheckPointSW/terraform-azure-cloudguard-network-security/total) -The repository contains: +# Terraform Modules for CloudGuard Network Security (CGNS) - GCP -* Terraform modules -* Community-supported content -## Related Products and Solutions -* CloudGuard Network Security for GCP +## Introduction +This repository provides a structured set of Terraform modules for deploying Check Point CloudGuard Network Security in GCP. These modules automate the creation of Virtual Networks, Security Gateways, High-Availability architectures, and more, enabling secure and scalable cloud deployments. -## References -* For more information about Check Point CloudGuard for Public Cloud, see https://www.checkpoint.com/products/iaas-public-cloud-security/ -* CloudGuard documentation is available at https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk132552& -* CloudGuard Network CheckMates community is available at https://community.checkpoint.com/t5/CloudGuard-IaaS/bd-p/cloudguard-iaas + +## Before you begin +1. Create a project in the [Google Cloud Console](https://console.cloud.google.com/) and set up billing on that project. +2. [Install Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) and read the Terraform getting started guide that follows. This guide will assume basic proficiency with Terraform - it is an introduction to the Google provider. + +### Configuring the Provider +The **main.tf** file includes the following provider configuration block used to configure the credentials you use to authenticate with GCP, as well as a default project and location for your resources: +``` +provider "google" { + credentials = file(var.service_account_path) + project = var.project + region = var.region +} +... +``` + +1. [Create a Service Account](https://cloud.google.com/docs/authentication/getting-started) (or use the existing one). Next, download the JSON key file. Name it something you can remember and store it somewhere secure on your machine.
+2. Select "Editor" Role or verify you have the following permissions: + ``` + compute.autoscalers.create + compute.autoscalers.delete + compute.autoscalers.get + compute.autoscalers.update + compute.disks.create + compute.firewalls.create + compute.firewalls.delete + compute.firewalls.get + compute.firewalls.update + compute.instanceGroupManagers.create + compute.instanceGroupManagers.delete + compute.instanceGroupManagers.get + compute.instanceGroupManagers.use + compute.instanceGroups.delete + compute.instanceTemplates.create + compute.instanceTemplates.delete + compute.instanceTemplates.get + compute.instanceTemplates.useReadOnly + compute.instances.create + compute.instances.setMetadata + compute.instances.setTags + compute.networks.get + compute.networks.updatePolicy + compute.regions.list + compute.subnetworks.get + compute.subnetworks.use + compute.subnetworks.useExternalIp + iam.serviceAccounts.actAs + ``` +3. ```credentials``` - Your service account key file is used to complete a two-legged OAuth 2.0 flow to obtain access tokens to authenticate with the GCP API as needed; Terraform will use it to reauthenticate automatically when tokens expire.
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#credentials-1). + - Static credentials can be provided by adding the path to your service-account json file, project-id and region in /gcp/modules/autoscale-into-new-vpc/**terraform.tfvars** file as follows: + ``` + service_account_path = "service-accounts/service-account-file-name.json" + project = "project-id" + region = "us-central1" + ``` + - In case the Environment Variables are used, perform modifications described below:
+ a. The next lines in the main.tf file, in the provider google resource, need to be deleted or commented: + ``` + provider "google" { + // credentials = file(var.service_account_path) + // project = var.project + + region = var.region + } + ``` + b.In the terraform.tfvars file leave empty double quotes for credentials and project variables: + ``` + service_account_path = "" + project = "" + ``` +## Usage +- Fill all variables in the /gcp/autoscale-into-existing-vpc/**terraform.tfvars** file with proper values (see below for variables descriptions). +- From a command line initialize the Terraform configuration directory: + ``` + terraform init + ``` +- Create an execution plan: + ``` + terraform plan + ``` +- Create or modify the deployment: + ``` + terraform apply + ``` + +## Repository Structure +`Submodules:` Contains modular, reusable, production-grade Terraform components, each with its own documentation. + +`Examples:` Demonstrates how to use the modules. + + +**Submodules:** +* [`network-security-integration`](https://registry.terraform.io/modules/chkp-olgami/olgami/gcp/latest/submodules/network-security-integration) - Deploys GCP Network Security Integration. + +Internal Submodules - + +* [`firewall-rule`](https://registry.terraform.io/modules/chkp-olgami/olgami/gcp/latest/submodules/firewall-rule) - Deploys firewall rules on GCP VPCs. +* [`internal-load-balancer`](https://registry.terraform.io/modules/chkp-olgami/olgami/gcp/latest/submodules/internal-load-balancer) - Deploys internal load balanncer. +* [`network-and-subnet`](https://registry.terraform.io/modules/chkp-olgami/olgami/gcp/latest/submodules/network-and-subnet) - Deploys VPC and subnetwork in the VPC. +* [`network-security-integration-common`](https://registry.terraform.io/modules/chkp-olgami/olgami/gcp/latest/submodules/network-security-integration-common) - Deploys Network Security Integration. + + +*** + +# Best Practices for Using CloudGuard Modules + +## Step 1: Use the Required Module +Add the required module in your Terraform configuration file (`main.tf`) to deploy resources. For example: + +```hcl +provider "google" { + features {} +} + +module "example_module" { + source = "CheckPointSW/cloudguard-network-security/gcp//modules/{module_name}" + version = "{chosen_version}" + # Add the required inputs +} +``` +--- + +## Step 2: Deploy with Terraform +Use Terraform commands to deploy resources securely. + +### Initialize Terraform +Prepare the working directory and download required provider plugins: +```hcl +terraform init +``` + +### Plan Deployment +Preview the changes Terraform will make: +```hcl +terraform plan +``` +### Apply Deployment +Apply the planned changes and deploy the resources: +```hcl +terraform apply +``` \ No newline at end of file diff --git a/modules/common/common/main.tf b/modules/common/common/main.tf new file mode 100644 index 0000000..139597f --- /dev/null +++ b/modules/common/common/main.tf @@ -0,0 +1,2 @@ + + diff --git a/modules/common/common/output.tf b/modules/common/common/output.tf new file mode 100644 index 0000000..e69de29 diff --git a/modules/common/common/variables.tf b/modules/common/common/variables.tf new file mode 100644 index 0000000..73f5440 --- /dev/null +++ b/modules/common/common/variables.tf @@ -0,0 +1,79 @@ +variable "installation_type" { + type = string + description = "Installation type" + default = "Gateway only" +} +variable "os_version" { + type = string + description = "GAIA OS version" + default = "R8120" + validation { + condition = contains(["R8110", "R8120" , "R82"], var.os_version) + error_message = "Allowed values for os_version are 'R8110' , 'R8120', 'R82'" + } +} +variable "image_name" { + type = string + description = "The single gateway and management image name" +} +locals { + regex_validate_mgmt_image_name = "^check-point-${lower(var.os_version)}-[^(gw)].*[0-9]{3}-([0-9]{3,}|[a-z]+)-v[0-9]{8,}.*" + regex_validate_gw_image_name = "^check-point-${lower(var.os_version)}-gw-.*[0-9]{3}-([0-9]{3,}|[a-z]+)-v[0-9]{8,}.*" + regex_validate_image_name = contains(["Gateway only", "Cluster", "AutoScale", "Network Security Integration"], var.installation_type) ? local.regex_validate_gw_image_name : local.regex_validate_mgmt_image_name + regex_image_name = length(regexall(local.regex_validate_image_name, var.image_name)) > 0 ? 0 : "Variable [image_name] must be a valid Check Point image name of the correct version." + index_image_name = index(["0"], local.regex_image_name) +} +variable "license" { + type = string + description = "Checkpoint license (BYOL)." + default = "BYOL" +} +locals { + license_allowed_values = [ + "BYOL"] + // will fail if [var.license] is invalid: + validate_license = index(local.license_allowed_values, upper(var.license)) +} +variable "admin_SSH_key" { + type = string + description = "(Optional) The SSH public key for SSH authentication to the template instances. Leave this field blank to use all project-wide pre-configured SSH keys." + default = "" +} +locals { + regex_valid_admin_SSH_key = "^(^$|ssh-rsa AAAA[0-9A-Za-z+/]+[=]{0,3})" + // Will fail if var.admin_SSH_key is invalid + regex_admin_SSH_key = length(regexall(local.regex_valid_admin_SSH_key, var.admin_SSH_key)) > 0 ? 0 : "Please enter a valid SSH public key or leave empty" + index_admin_SSH_key = index(["0"], local.regex_admin_SSH_key) +} +variable "admin_shell" { + type = string + description = "Change the admin shell to enable advanced command line configuration." + default = "/etc/cli.sh" +} +locals { + admin_shell_allowed_values = [ + "/etc/cli.sh", + "/bin/bash", + "/bin/csh", + "/bin/tcsh"] + // Will fail if var.admin_shell is invalid + validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell) +} +variable "externalIP" { + type = string + description = "External IP address type" + default = "static" + validation { + condition = contains(["static", "ephemeral", "none"], var.externalIP) + error_message = "Invalid value for externalIP. Allowed values are 'static', 'ephemeral' or 'none'." + } +} +locals { + external_ip_allowed_values = [ + "static", + "ephemeral", + "none" + ] + validate_external_ip = index(local.external_ip_allowed_values, var.externalIP) +} + diff --git a/modules/common/firewall-rule/main.tf b/modules/common/firewall-rule/main.tf new file mode 100644 index 0000000..0920594 --- /dev/null +++ b/modules/common/firewall-rule/main.tf @@ -0,0 +1,10 @@ +resource "google_compute_firewall" "firewall_rules" { + name = var.rule_name + network = var.network[0] + allow { + protocol = var.protocol + ports = var.ports + } + source_ranges = var.source_ranges + target_tags = var.target_tags +} \ No newline at end of file diff --git a/modules/common/firewall-rule/output.tf b/modules/common/firewall-rule/output.tf new file mode 100644 index 0000000..e608895 --- /dev/null +++ b/modules/common/firewall-rule/output.tf @@ -0,0 +1,3 @@ +output "firewall_rule_name" { + value = google_compute_firewall.firewall_rules.name +} \ No newline at end of file diff --git a/modules/common/firewall-rule/variables.tf b/modules/common/firewall-rule/variables.tf new file mode 100644 index 0000000..33a4c92 --- /dev/null +++ b/modules/common/firewall-rule/variables.tf @@ -0,0 +1,28 @@ +variable "protocol" { + type = string + description = "The IP protocol to which this rule applies." +} +variable "source_ranges" { + type = list(string) + description = "(Optional) Source IP ranges for the protocol traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. Please leave empty list to unable this protocol traffic." + default = [] +} +variable "rule_name" { + type = string + description = "Firewall rule name." +} +variable "network" { + type = list(string) + description = "The name or self_link of the network to attach this firewall to." +} +variable "target_tags" { + description = "List of target tags for the firewall rule" + type = list(string) + default = ["checkpoint-gateway"] +} +variable "ports" { + description = "List of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. " + type = list(number) + default = [] + +} \ No newline at end of file diff --git a/modules/common/internal-load-balancer/main.tf b/modules/common/internal-load-balancer/main.tf new file mode 100644 index 0000000..eeaed9d --- /dev/null +++ b/modules/common/internal-load-balancer/main.tf @@ -0,0 +1,33 @@ +resource "google_compute_health_check" "health_check" { + name = "${var.prefix}-health-check" + project = var.project + tcp_health_check { + port = 8117 + } +} + +resource "google_compute_region_backend_service" "backend_service" { + name = "${var.prefix}-internal-backend-service" + project = var.project + protocol = var.protocol + health_checks = [google_compute_health_check.health_check.id] + region = var.region + network = var.network + connection_draining_timeout_sec = var.connection_draining_timeout + backend { + group = var.instance_group + } +} + +resource "google_compute_forwarding_rule" "forwarding_rule" { + for_each = toset(var.intercept_deployment_zones) + name = "${var.prefix}-forwarding-rule-${each.key}" + project = var.project + region = var.region + load_balancing_scheme = "INTERNAL" + ip_version = "IPV4" + ip_protocol = var.ip_protocol + ports = var.ports + subnetwork = var.subnetwork + backend_service = google_compute_region_backend_service.backend_service.self_link +} \ No newline at end of file diff --git a/modules/common/internal-load-balancer/output.tf b/modules/common/internal-load-balancer/output.tf new file mode 100644 index 0000000..aee8f2e --- /dev/null +++ b/modules/common/internal-load-balancer/output.tf @@ -0,0 +1,3 @@ +output "forwarding_rule" { + value = { for key, rule in google_compute_forwarding_rule.forwarding_rule : key => rule.self_link } +} \ No newline at end of file diff --git a/modules/common/internal-load-balancer/variables.tf b/modules/common/internal-load-balancer/variables.tf new file mode 100644 index 0000000..52e22ae --- /dev/null +++ b/modules/common/internal-load-balancer/variables.tf @@ -0,0 +1,62 @@ +variable "project" { + type = string + description = "Personal project id. The project indicates the default GCP project all of your resources will be created in." + default = "chkp-tf-project" +} + +variable "prefix" { + type = string + description = "Resources name prefix" + default = "chkp-tf-nsi" +} + +variable "network" { + type = string + description = "The name or self_link of the network" +} + +variable "subnetwork" { + type = string + description = "The name or self_link of the subnetwork" +} + +variable "region" { + type = string + default = "us-central1" +} + +variable "ip_protocol" { + description = "The IP protocol to which this rule applies. For protocol forwarding, valid options are TCP, UDP, ESP, AH, SCTP, ICMP and L3_DEFAULT." + default = "TCP" + type = string +} + +variable "ports" { + description = "Which port numbers are forwarded to the backends" + default = [] + type = list(number) +} + +variable "protocol" { + description = "The protocol used by the backend service. Valid values are HTTP, HTTPS, HTTP2, SSL, TCP, UDP, GRPC, UNSPECIFIED" + default = "TCP" + type = string + +} + +variable "instance_group" { + description = "The name or self_link of the instance group" + type = string +} + +variable "intercept_deployment_zones" { + type = list(string) + description = "The list of zones for which a network security intercept deployment will be deployed. The zones must be in the same region as the deployment." + default = ["us-central1-a"] +} + +variable "connection_draining_timeout" { + type = number + description = "The time, in seconds, that the load balancer waits for active connections to complete before fully removing an instance from the backend group. The default value is 300 seconds." + default = 300 +} \ No newline at end of file diff --git a/modules/common/network-and-subnet/main.tf b/modules/common/network-and-subnet/main.tf new file mode 100644 index 0000000..5dad8d5 --- /dev/null +++ b/modules/common/network-and-subnet/main.tf @@ -0,0 +1,27 @@ +locals { + create_network_condition = var.network_cidr == "" ? false : true +} + +resource "google_compute_network" "network" { + count = local.create_network_condition ? 1 : 0 + name = "${replace(var.prefix, "--", "-")}-${replace(replace(var.type, "(", ""), ")", "")}" + auto_create_subnetworks = false +} +resource "google_compute_subnetwork" "new_subnetwork" { + count = local.create_network_condition ? 1 : 0 + name = "${replace(var.prefix, "--", "-")}-${replace(replace(replace(var.type, "(", ""), ")", ""), "--", "-")}-subnet" + ip_cidr_range = var.network_cidr + private_ip_google_access = true + region = var.region + network = google_compute_network.network[count.index].id +} +data "google_compute_subnetwork" "existing_subnetwork" { + count = local.create_network_condition ? 0 : 1 + name = var.subnetwork_name + region = var.region +} + +data "google_compute_network" "network_name" { + count = local.create_network_condition ? 0 : 1 + name = var.network_name +} \ No newline at end of file diff --git a/modules/common/network-and-subnet/output.tf b/modules/common/network-and-subnet/output.tf new file mode 100644 index 0000000..959cdc9 --- /dev/null +++ b/modules/common/network-and-subnet/output.tf @@ -0,0 +1,21 @@ +output "new_created_network_link" { + value = google_compute_network.network[*].self_link +} +output "new_created_subnet_link" { + value = google_compute_subnetwork.new_subnetwork[*].self_link +} +output "existing_network_link" { + value = data.google_compute_network.network_name[*].self_link +} +output "new_created_network_name" { + value = google_compute_network.network[*].name +} +output "new_created_subnet_name" { + value = google_compute_subnetwork.new_subnetwork[*].name +} +output "existing_network_name" { + value = data.google_compute_network.network_name[*].name +} +output "gateway_address" { + value = local.create_network_condition ? google_compute_subnetwork.new_subnetwork[0].gateway_address : data.google_compute_subnetwork.existing_subnetwork[0].gateway_address +} \ No newline at end of file diff --git a/modules/common/network-and-subnet/variables.tf b/modules/common/network-and-subnet/variables.tf new file mode 100644 index 0000000..7cff4a5 --- /dev/null +++ b/modules/common/network-and-subnet/variables.tf @@ -0,0 +1,32 @@ +variable "prefix" { + type = string + description = "(Optional) Resources name prefix" + default = "chkp-tf-ha" +} +variable "type" { + type = string +} +variable "network_cidr" { + type = string + description = "External subnet CIDR. If the variable's value is not empty double quotes, a new network will be created." + default = "10.0.0.0/24" +} +variable "private_ip_google_access" { + type = bool + description = "When enabled, VMs in this subnetwork without external IP addresses can access Google APIs and services by using Private Google Access." + default = true +} +variable "region" { + type = string + default = "us-central1" +} +variable "network_name" { + type = string + description = "External network ID in the chosen zone. The network determines what network traffic the instance can access.If you have specified a CIDR block at var.network_cidr, this network name will not be used." + default = "" +} +variable "subnetwork_name" { + type = string + description = "Assigns the instance an IPv4 address from the subnetwork's range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network." + default = "" +} \ No newline at end of file diff --git a/modules/common/network-security-integration-common/main.tf b/modules/common/network-security-integration-common/main.tf new file mode 100644 index 0000000..d4bbe51 --- /dev/null +++ b/modules/common/network-security-integration-common/main.tf @@ -0,0 +1,258 @@ +locals{ + mgmt_nic_condition = var.management_nic == "Ephemeral Public IP (eth0)" ? true : false + mgmt_nic_ip_address_condition = local.mgmt_nic_condition ? "x-chkp-ip-address--public" : "x-chkp-ip-address--private" + mgmt_nic_interface_condition = "x-chkp-management-interface--eth0" + admin_SSH_key_condition = var.admin_SSH_key != "" ? true : false + disk_type_condition = var.disk_type == "SSD Persistent Disk" ? "pd-ssd" : var.disk_type == "Standard Persistent Disk" ? "pd-standard" : "" + service_nic_interface_undefined = "x-chkp-topology-eth1--undefined" +} +provider "google-beta" { + credentials = var.service_account_path + project = var.project + region = var.region +} + +resource "random_string" "generated_password" { + length = 12 + special = false +} +resource "random_string" "random_string" { + length = 5 + special = false + upper = false + keepers = {} +} +resource "google_compute_instance_template" "instance_template" { + name = "${var.prefix}-tmplt-${random_string.random_string.result}" + machine_type = var.machine_type + can_ip_forward = true + + + disk { + source_image = "checkpoint-public/${var.image_name}" + auto_delete = true + boot = true + device_name = "${var.prefix}-boot-${random_string.random_string.result}" + disk_type = local.disk_type_condition + disk_size_gb = var.disk_size + mode = "READ_WRITE" + type = "PERSISTENT" + } + + network_interface { + network = var.mgmt_network[0] + subnetwork = var.mgmt_subnetwork[0] + dynamic "access_config" { + for_each = local.mgmt_nic_condition ? [ + 1] : [] + content { + network_tier = local.mgmt_nic_condition ? "PREMIUM" : "STANDARD" + } + } + } + + network_interface { + network = var.security_network[0] + subnetwork = var.security_subnetwork[0] + } + + scheduling { + automatic_restart = true + on_host_maintenance = "MIGRATE" + preemptible = false + } + + service_account { + email = "default" + scopes = [ + "https://www.googleapis.com/auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring.write", + "https://www.googleapis.com/auth/pubsub", + "https://www.googleapis.com/auth/service.management.readonly", + "https://www.googleapis.com/auth/servicecontrol", + "https://www.googleapis.com/auth/trace.append"] + } + tags = [ + format("x-chkp-management--%s", var.management_name), + format("x-chkp-template--%s", var.configuration_template_name), + "checkpoint-gateway", + local.mgmt_nic_ip_address_condition, + local.mgmt_nic_interface_condition, + local.service_nic_interface_undefined + ] + + metadata = local.admin_SSH_key_condition ? { + serial-port-enable = "true" + instanceSSHKey = var.admin_SSH_key + adminPasswordSourceMetadata = var.generate_password ?random_string.generated_password.result : "" + } : { + serial-port-enable = "true" + adminPasswordSourceMetadata = var.generate_password?random_string.generated_password.result : "" + } + + metadata_startup_script = templatefile("${path.module}/../startup-script.sh", { + // script's arguments + generatePassword = var.generate_password + config_url = "" + config_path = "" + sicKey = "" + allowUploadDownload = var.allow_upload_download + templateName = "network_security_integration_tf" + templateVersion = "20230910" + templateType = "terraform" + mgmtNIC = var.management_nic + hasInternet = "false" + enableMonitoring = var.enable_monitoring + shell = var.admin_shell + installation_type = "Network Security Integration" + computed_sic_key = var.sic_key + managementGUIClientNetwork = "" + primary_cluster_address_name = "" + secondary_cluster_address_name = "" + secondary_cluster_address_name = "" + managementNetwork = "" + numAdditionalNICs = "" + smart_1_cloud_token = "" + name = "" + zoneConfig = "" + region = "" + os_version = var.os_version + maintenance_mode_password_hash = var.maintenance_mode_password_hash + }) +} +resource "google_compute_region_instance_group_manager" "instance_group_manager" { + region = var.region + name = "${var.prefix}-igm-${random_string.random_string.result}" + version { + instance_template = google_compute_instance_template.instance_template.id + name = "${var.prefix}-tmplt" + } + base_instance_name = "${var.prefix}-${random_string.random_string.result}" +} +resource "google_compute_region_autoscaler" "autoscaler" { + region = var.region + name = "${var.prefix}-autoscaler-${random_string.random_string.result}" + target = google_compute_region_instance_group_manager.instance_group_manager.id + + autoscaling_policy { + max_replicas = var.instances_max_group_size + min_replicas = var.instances_min_group_size + cooldown_period = 90 + + cpu_utilization { + target = var.cpu_usage/100 + } + } +} + +module "load_balancer" { + source = "../internal-load-balancer" + project = var.project + prefix = var.prefix + network = var.security_network[0] + subnetwork = var.security_subnetwork[0] + region = var.region + protocol = "UDP" + ip_protocol = "UDP" + ports = [6081] + instance_group = google_compute_region_instance_group_manager.instance_group_manager.instance_group + intercept_deployment_zones = var.intercept_deployment_zones + connection_draining_timeout = var.connection_draining_timeout +} + +resource "google_network_security_intercept_deployment_group" "network_security_intercept_deployment_group" { + provider = google-beta + project = var.project + intercept_deployment_group_id = "${var.prefix}-intercept-deployment-group" + location = "global" + network = var.security_network[0] +} + +resource "google_network_security_intercept_deployment" "network_security_intercept_deployment" { + provider = google-beta + for_each = toset(var.intercept_deployment_zones) + intercept_deployment_id = "${var.prefix}-intercept-deployment-${each.key}" + location = each.key + project = var.project + forwarding_rule = module.load_balancer.forwarding_rule[each.key] + intercept_deployment_group = google_network_security_intercept_deployment_group.network_security_intercept_deployment_group.id +} + +resource "google_network_security_intercept_endpoint_group" "network_security_intercept_endpoint_group" { + provider = google-beta + intercept_endpoint_group_id = "${var.prefix}-intercept-endpoint-group" + project = var.project + intercept_deployment_group = google_network_security_intercept_deployment_group.network_security_intercept_deployment_group.id + location = "global" +} + +resource "google_network_security_intercept_endpoint_group_association" "network_security_intercept_endpoint_group_association" { + provider = google-beta + intercept_endpoint_group_association_id = "${var.prefix}-intercept-endpoint-group-association" + intercept_endpoint_group = google_network_security_intercept_endpoint_group.network_security_intercept_endpoint_group.id + network = var.service_network[0] + location = "global" + project = var.project +} + +resource "google_network_security_security_profile" "network_security_profile" { + provider = google-beta + name = "${var.prefix}-network-security-profile" + custom_intercept_profile { + intercept_endpoint_group = google_network_security_intercept_endpoint_group.network_security_intercept_endpoint_group.id + } + type = "CUSTOM_INTERCEPT" + parent = "organizations/${var.organization_id}" +} + +resource "google_network_security_security_profile_group" "network_security_profile_group" { + provider = google-beta + name = "${var.prefix}-network-security-profile-group" + custom_intercept_profile = google_network_security_security_profile.network_security_profile.id + parent = "organizations/${var.organization_id}" +} + +resource "google_compute_network_firewall_policy" "consumer_policy" { + name = "${var.prefix}-consumer-policy" + project = var.project +} + +resource "google_compute_network_firewall_policy_rule" "ingress_network_firewall_policy" { + provider = google-beta + priority = 10 + action = "apply_security_profile_group" + firewall_policy = google_compute_network_firewall_policy.consumer_policy.id + security_profile_group = "//networksecurity.googleapis.com/${google_network_security_security_profile_group.network_security_profile_group.id}" + direction = "INGRESS" + match { + layer4_configs { + ip_protocol = "all" + } + src_ip_ranges = ["0.0.0.0/0"] + dest_ip_ranges = ["0.0.0.0/0"] + } +} + +resource "google_compute_network_firewall_policy_rule" "egress_network_firewall_policy" { + provider = google-beta + priority = 11 + action = "apply_security_profile_group" + firewall_policy = google_compute_network_firewall_policy.consumer_policy.id + security_profile_group = "//networksecurity.googleapis.com/${google_network_security_security_profile_group.network_security_profile_group.id}" + direction = "EGRESS" + match { + layer4_configs { + ip_protocol = "all" + } + src_ip_ranges = ["0.0.0.0/0"] + dest_ip_ranges = ["0.0.0.0/0"] + } +} + +resource "google_compute_network_firewall_policy_association" "network_firewall_policy_association" { + name = "${var.prefix}-consumer-policy-association" + firewall_policy = google_compute_network_firewall_policy.consumer_policy.id + attachment_target = var.service_network[0] + project = var.project +} \ No newline at end of file diff --git a/modules/common/network-security-integration-common/output.tf b/modules/common/network-security-integration-common/output.tf new file mode 100644 index 0000000..ad3644d --- /dev/null +++ b/modules/common/network-security-integration-common/output.tf @@ -0,0 +1,22 @@ +output "management_name" { + value = var.management_name +} +output "configuration_template_name" { + value = var.configuration_template_name +} +output "instance_template_name" { + value = google_compute_instance_template.instance_template.name +} +output "instance_group_manager_name" { + value = google_compute_region_instance_group_manager.instance_group_manager.name +} +output "autoscaler_name" { + value = google_compute_region_autoscaler.autoscaler.name +} +output "security_policy_id" { + value = google_compute_network_firewall_policy.consumer_policy.id +} +output "intercept_endpoint_group_id" { + value = google_network_security_intercept_endpoint_group.network_security_intercept_endpoint_group.id + description = "The ID of the intercept endpoint group." +} diff --git a/modules/common/network-security-integration-common/variables.tf b/modules/common/network-security-integration-common/variables.tf new file mode 100644 index 0000000..f0713fd --- /dev/null +++ b/modules/common/network-security-integration-common/variables.tf @@ -0,0 +1,209 @@ +# Check Point CloudGuard IaaS Autoscaling - Terraform Template + +# --- Google Provider --- +variable "service_account_path" { + type = string + description = "User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored." + default = "" +} +variable "project" { + type = string + description = "Personal project id. The project indicates the default GCP project all of your resources will be created in." + default = "" +} + +variable "organization_id" { + type = string + description = "Organization ID - The organization ID is a unique identifier for your organization. It is used to identify your organization in the Google Cloud Console and in API requests." + default = "" +} + +# --- Check Point--- +variable "prefix" { + type = string + description = "(Optional) Resources name prefix" + default = "chkp-tf-nsi" +} +variable "license" { + type = string + description = "Checkpoint license (BYOL)." + default = "BYOL" +} +variable "image_name" { + type = string + description = "The NSI image name (e.g. check-point-r8120-gw-byol-nsi-631-991001866-v20250731)." +} +variable "os_version" { + type = string + description = "GAIA OS version" + default = "R8120" +} +variable "management_nic" { + type = string + description = "Management Interface - Autoscaling Security Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1)." + default = "Ephemeral Public IP (eth0)" +} +variable "management_name" { + type = string + description = "The name of the Security Management Server as appears in autoprovisioning configuration. (Please enter a valid Security Management name including ascii characters only)" + default = "tf-checkpoint-management" +} +variable "configuration_template_name" { + type = string + description = "Specify the provisioning configuration template name (for autoprovisioning). (Please enter a valid autoprovisioing configuration template name including ascii characters only)" + default = "tf-asg-autoprov-tmplt" +} +variable "admin_SSH_key" { + type = string + description = "(Optional) The SSH public key for SSH authentication to the MIG instances. Leave this field blank to use all project-wide pre-configured SSH keys." + default = "" +} +variable "generate_password" { + type = bool + description = "Automatically generate an administrator password" + default = false +} +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string + default = "" +} +variable "admin_shell" { + type = string + description = "Change the admin shell to enable advanced command line configuration." + default = "/etc/cli.sh" +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} + +variable "sic_key" { + type = string + description ="The Secure Internal Communication one time secret used to set up trust between the gatewayes objects and the management server" + default = "" +} + +# --- Networking --- +data "google_compute_regions" "available_regions" { +} +variable "region" { + type = string + default = "us-central1" +} +variable "intercept_deployment_zones" { + type = list(string) + description = "The list of zones for which a network security intercept deployment will be deployed. The zones must be in the same region as the deployment." + default = ["us-central1-a"] +} +variable "mgmt_network" { + type = list(string) + description = "The network determines what network traffic the instance can access" + default = ["default"] +} +variable "mgmt_subnetwork" { + type = list(string) + description = "The subnetwork determines what network traffic the instance can access" + default = ["default"] +} + +variable "security_network" { + type = list(string) + description = "The network determines what network traffic the instance can access" + default = ["default"] +} +variable "security_subnetwork" { + type = list(string) + description = "The subnetwork determines what network traffic the instance can access" + default = ["default"] +} + +variable "service_network" { + type = list(string) + description = "The network determines what network traffic the instance can access" + default = ["default"] +} + +variable "service_subnetwork" { + type = list(string) + description = "The subnetwork determines what network traffic the instance can access" + default = ["default"] + +} + +variable "ICMP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for ICMP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ICMP traffic." + default = [] +} +variable "TCP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for TCP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable TCP traffic." + default = [] +} +variable "UDP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for UDP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable UDP traffic." + default = [] +} +variable "SCTP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for SCTP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable SCTP traffic." + default = [] +} +variable "ESP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for ESP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ESP traffic." + default = [] +} + +# --- Instance Configuration --- +variable "machine_type" { + type = string + default = "n1-standard-4" +} +variable "cpu_usage" { + type = number + description = "Target CPU usage (%) - Autoscaling adds or removes instances in the group to maintain this level of CPU usage on each instance." + default = 60 +} +resource "null_resource" "cpu_usage_validation" { + // Will fail if var.cpu_usage is less than 10 or more than 90 + count = var.cpu_usage >= 10 && var.cpu_usage <= 90 ? 0 : "variable cpu_usage must be a number between 10 and 90" +} +variable "instances_min_group_size" { + type = number + description = "The minimal number of instances" + default = 2 +} +variable "instances_max_group_size" { + type = number + description = "The maximal number of instances" + default = 10 +} +variable "disk_type" { + type = string + description = "Storage space is much less expensive for a standard Persistent Disk. An SSD Persistent Disk is better for random IOPS or streaming throughput with low latency." + default = "SSD Persistent Disk" +} +variable "disk_size" { + type = number + description = "Disk size in GB - Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space." + default = 100 +} +resource "null_resource" "disk_size_validation" { + // Will fail if var.disk_size is less than 100 or more than 4096 + count = var.disk_size >= 100 && var.disk_size <= 4096 ? 0 : "variable disk_size must be a number between 100 and 4096" +} +variable "enable_monitoring" { + type = bool + description = "Enable Stackdriver monitoring" + default = false +} + +variable "connection_draining_timeout" { + type = number + description = "The time, in seconds, that the load balancer waits for active connections to complete before fully removing an instance from the backend group. The default value is 300 seconds." + default = 300 +} \ No newline at end of file diff --git a/modules/common/startup-script.sh b/modules/common/startup-script.sh new file mode 100644 index 0000000..9d45ccb --- /dev/null +++ b/modules/common/startup-script.sh @@ -0,0 +1,26 @@ +#cloud-config +network: + version: 1 + config: + - type: bridge + name: br1 + mtu: *eth1-mtu + subnets: + - address: *eth1-private + type: static + gateway: *default-gateway + dns_nameservers: + - *eth1-dns1 + bridge_interfaces: + - eth1 +kernel_parameters: + sim: + - sim_geneve_enabled=1 + - sim_geneve_br_dev=br1 + fw: + - fwtls_bridge_mode_inspection=1 + - fw_geneve_enabled=1 +bootcmd: + - echo "brctl hairpin br1 eth1 on" >> /etc/rc.local +runcmd: + - 'python3 /etc/cloud_config.py generatePassword=\"${generatePassword}\" allowUploadDownload=\"${allowUploadDownload}\" templateName=\"${templateName}\" templateVersion=\"${templateVersion}\" mgmtNIC="X${mgmtNIC}X" hasInternet=\"${hasInternet}\" config_url=\"${config_url}\" config_path=\"${config_path}\" installationType="X${installation_type}X" enableMonitoring=\"${enableMonitoring}\" shell=\"${shell}\" computed_sic_key=\"${computed_sic_key}\" sicKey=\"${sicKey}\" managementGUIClientNetwork=\"${managementGUIClientNetwork}\" primary_cluster_address_name=\"${primary_cluster_address_name}\" secondary_cluster_address_name=\"${secondary_cluster_address_name}\" managementNetwork=\"${managementNetwork}\" numAdditionalNICs=\"${numAdditionalNICs}\" smart1CloudToken="X${smart_1_cloud_token}X" name=\"${name}\" zone=\"${zoneConfig}\" region=\"${region}\" osVersion=\"${os_version}\" MaintenanceModePassword=\"${maintenance_mode_password_hash}\"' \ No newline at end of file diff --git a/modules/network-security-integration/README.md b/modules/network-security-integration/README.md new file mode 100644 index 0000000..9e2c4c4 --- /dev/null +++ b/modules/network-security-integration/README.md @@ -0,0 +1,262 @@ +# Check Point Network Security Integration Terraform module for Google Cloud Platform (GCP) + +> **Important Notes:** +> - This is a preview release of the CloudGuard Network Security Integration Terraform module for GCP. +> - The GCP Network Security Integration is currently in private preview. +If you are interested in participating, please reach out to your local Check Point representative. They will contact the Check Point's Cloud Specialist (CSS) or Cloud Architect (CSA) that will gladly enroll you on the Early Availability (EA) program and offer additional documentation and assistance. + + + +This Terraform module deploys Check Point CloudGuard Network Security for the GCP Network Security Integration solution into new or existing VPCs. +As part of the deployment, the following resources are created: + +* [Instance Template](https://www.terraform.io/docs/providers/google/r/compute_instance_template.html) +* [Firewall](https://www.terraform.io/docs/providers/google/r/compute_firewall.html) - conditional creation +* [Instance Group Manager](https://www.terraform.io/docs/providers/google/r/compute_region_instance_group_manager.html) +* [Autoscaler](https://www.terraform.io/docs/providers/google/r/compute_region_autoscaler.html) +* [Network](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_network) +* [Health Check](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_health_check) +* [Backend Service](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_region_backend_service) +* [Forwarding Rule](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_forwarding_rule) +* [Intercept Deployment Group](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/network_security_intercept_deployment_group) +* [Intercept Deployment](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/network_security_intercept_deployment) +* [Intercept Endpoint Group](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/network_security_intercept_endpoint_group) +* [Intercept Endpoint Group Association](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/network_security_intercept_endpoint_group_association) +* [Security Profile](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/network_security_security_profile) +* [Security Profile Group](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/network_security_security_profile_group) +* [Firewall Policy](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_network_firewall_policy) +* [Firewall Policy Rule](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_network_firewall_policy_rule) +* [Firewall Policy Association](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_network_firewall_policy_association) + + +For additional information, see the [CloudGuard Network for GCP Network Security Integration Deployment Guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_GCP_Autoscaling_MIG/Default.htm) + +## Cross-Zone Deployment +### Intercept Deployment per Availability Zone in the Service VPC +To ensure that traffic is properly intercepted and inspected by Check Point firewalls, an intercept deployment and a corresponding forwarding rule to the Internal Load Balancer must be deployed for each Availability Zone utilized within the Security VPC. +Note - If an Intercept Deployment is missing in a specific zone, traffic in that zone will bypass GCP Layer 7 policies and not be inspected, resulting in a potential security gap. +These deployments must be aligned with the zones where your workloads reside. + +Our Terraform template supports a cross-zone deployment model. +Please define the relevant zones using the intercept_deployment_zones parameter in the main.tf file. + +Example: +intercept_deployment_zones = ["us-central1-a", "us-central1-b"] + +This configuration deploys intercept instances in both us-central1-a and us-central1-b. + + +## Before you begin +1. Create a project in the [Google Cloud Console](https://console.cloud.google.com/) and set up billing on that project. +2. [Install Terraform] version **1.9.0** (minimum required) or higher, (https://learn.hashicorp.com/tutorials/terraform/install-cli) and read the Terraform Getting Started Guide that follows. This guide will assume basic proficiency with Terraform - it is an introduction to the Google provider. + + +3. [Create a Service Account](https://cloud.google.com/docs/authentication/getting-started) (or use the existing one). Next, download the JSON key file. Name it something you can remember and store it somewhere secure on your machine.
+4. Ensure that the Service Account possesses the following permissions, in addition to those listed in the main README: + ``` + compute.firewallPolicies.create + compute.firewallPolicies.delete + compute.firewallPolicies.get + compute.firewallPolicies.update + compute.firewallPolicies.use + compute.forwardingRules.create + compute.forwardingRules.delete + compute.forwardingRules.get + compute.forwardingRules.use + compute.globalOperations.get + compute.healthChecks.create + compute.healthChecks.delete + compute.healthChecks.get + compute.healthChecks.useReadOnly + compute.instanceGroups.use + compute.networks.create + compute.networks.delete + compute.networks.setFirewallPolicy + compute.networks.use + compute.regionBackendServices.create + compute.regionBackendServices.delete + compute.regionBackendServices.use + compute.regionBackendServices.get + compute.subnetworks.create + compute.subnetworks.delete + compute.zones.list + networksecurity.interceptDeploymentGroups.create + networksecurity.interceptDeploymentGroups.delete + networksecurity.interceptDeploymentGroups.get + networksecurity.interceptDeploymentGroups.use + networksecurity.interceptDeployments.create + networksecurity.interceptDeployments.delete + networksecurity.interceptDeployments.get + networksecurity.interceptEndpointGroupAssociations.create + networksecurity.interceptEndpointGroupAssociations.delete + networksecurity.interceptEndpointGroupAssociations.get + networksecurity.interceptEndpointGroups.create + networksecurity.interceptEndpointGroups.delete + networksecurity.interceptEndpointGroups.get + networksecurity.interceptEndpointGroups.use + networksecurity.securityProfiles.create +``` +Add the following Organization level permissions to the service account: + ``` + Custom roles - + networksecurity.securityProfiles.* + networksecurity.securityProfileGroups.* + networksecurity.operations.get + ``` +5. Enable the **Network Security API** and **Compute Engine API** for your project. You can do this by either: + + - Running the following `gcloud` commands: + ``` + gcloud services enable networksecurity.googleapis.com + ``` + ``` + gcloud services enable compute.googleapis.com + ``` + - Enabling it manually via the [GCP Console](https://console.cloud.google.com/apis/library). + +## Gateway Image Selection + +This module supports deployment with the following Check Point CloudGuard gateway images: + +### Available Images + +| Version | Image Name | License | +|---------|------------|-------------| +| R82 | `check-point-r82-gw-byol-nsi-777-991001866-v20250731` | BYOL | +| R81.20 | `check-point-r8120-gw-byol-nsi-631-991001866-v20250731` | BYOL | + + +## Usage +Follow best practices for using CGNS modules on [the root page](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/gcp/latest). +``` +provider "google" { + credentials = "service-accounts/service-account-file-name.json" + project = "project-id" + region = "us-central1" +} + +module "nsi-test" { + source = "CheckPointSW/cloudguard-network-security/gcp//modules/network-security-integration" + version = "1.0.8" + + # --- Google Provider --- + service_account_path = "service-accounts/service-account-file-name.json" + project = "project-id" + organization_id = "1111111111111" + + # --- Check Point--- + prefix = "chkp-tf-nsi" + license = "BYOL" + image_name = "check-point-r8120-gw-byol-nsi-631-991001866-v20250731" + os_version = "R8120" + management_nic = "Ephemeral Public IP (eth0)" + management_name = "tf-checkpoint-management" + configuration_template_name = "tf-checkpoint-template" + generate_password = true + admin_SSH_key = "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxx imported-openssh-key" + maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" + admin_shell = "/etc/cli.sh" + allow_upload_download = true + sic_key = "xxxxxxxxxxxx" + + # --- Networking --- + intercept_deployment_zones = ["us-central1-a"] + region = "us-central1" + mgmt_network_name = "" + mgmt_subnetwork_name = "" + mgmt_network_cidr = "10.0.4.0/24" + security_network_name = "" + security_subnetwork_name = "" + security_network_cidr = "10.0.5.0/24" + ICMP_traffic = ["123.123.0.0/24", "234.234.0.0/24"] + TCP_traffic = ["0.0.0.0/0"] + UDP_traffic = [] + SCTP_traffic = [] + ESP_traffic = [] + service_network_name = "" + service_subnetwork_name = "" + service_network_cidr = "10.0.6.0/24" + + # --- Instance Configuration --- + machine_type = "n1-standard-4" + cpu_usage = 60 + instances_min_group_size = 2 + instances_max_group_size = 10 + disk_type = "SSD Persistent Disk" + disk_size = 100 + enable_monitoring = false + connection_draining_timeout = 300 + } +``` + +## Conditional creation +
1. For each network and subnet variable, you can choose whether to create a new network with a new subnet or to use an existing one. + +- If you want to create a new network and subnet, input a subnet CIDR block for the desired new network. In this case, the network name and subnetwork name will not be used: + +``` + mgmt_network_name = "not-use" + mgmt_subnetwork_name = "not-use" + mgmt_network_cidr = "10.0.1.0/24" +``` + +- Otherwise, if you want to use the existing network and subnet, leave empty double quotes in the CIDR variable for the desired network: + +``` + mgmt_network_name = "network name" + mgmt_subnetwork_name = "subnetwork name" + mgmt_network_cidr = "10.0.1.0/24" +``` + +
2. To create a Firewall and allow traffic for ICMP, TCP, UDP, SCTP, and/or ESP - enter the list of Source IP ranges. +``` +ICMP_traffic = ["123.123.0.0/24", "234.234.0.0/24"] +TCP_traffic = ["0.0.0.0/0"] +UDP_traffic = [] +SCTP_traffic = [] +ESP_traffic = [] +``` +Leave an empty list for a protocol if you want to disable traffic for it. + +### Module's variables: +| Name | Description | Type | Allowed values | Default | Required | +| ------------- |-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | ------------- | ------------- | ------------- | +| service_account_path | User service account path in JSON format - From the service account key page in the Cloud Console, choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location where it is stored. (for example "service-accounts/service-account-name.json") | string | N/A | "" | yes | +| project | Personal project ID. The project indicates the default GCP project in which all your resources will be created. The project ID must be 6-30 characters long, start with a letter, and can only include lowercase letters, numbers, hyphens, and cannot end with a hyphen. | string | N/A | "" | yes +| organization_id | Unique identifier for your organization in GCP. It is used to manage resources and permissions within your organization. [For more detailes](https://cloud.google.com/resource-manager/docs/creating-managing-organization) | string | N/A | "" | yes +| prefix | (Optional) Resources name prefix.
Note: resource name must not contain reserved words based on [sk40179](https://support.checkpoint.com/results/sk/sk40179). | string | N/A | "chkp-tf-nsi" | no | +| license | Check Point license (BYOL). | string | BYOL
| "BYOL" | no | +| image_name | The NSI image name (for example, check-point-r8120-gw-byol-nsi-631-991001866-v20250731). | string | N/A | N/A | yes | +| os_version | Gaia OS Version | string | R8110;
R8120;
R82; | "R8120" | yes +| management_nic | Management Interface - Autoscaling Security Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1). | string | Ephemeral Public IP (eth0)
Private IP (eth1) | "Ephemeral Public IP (eth0)" | no | +| management_name | The name of the Security Management Server as it appears in the autoprovisioning configuration. (Enter a valid Security Management name including lowercase letters, digits and hyphens only). | string | N/A | "checkpoint-management" | no | +| configuration_template_name | Specify the provisioning configuration template name (for autoprovisioning). (Enter a valid autoprovisioning configuration template name including lowercase letters, digits, and hyphens only). | string | N/A | "gcp-asg-autoprov-tmplt" | no | +| generate_password | Automatically generate an administrator password. | bool | true
false | false | no | +| admin_SSH_key | Public SSH key for the user 'admin' - The SSH public key for SSH authentication to the MIG instances. Leave this field blank to use all project-wide pre-configured SSH keys. | string | A valid public ssh key | "" | no | +| maintenance_mode_password_hash | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash, use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string | N/A | "" | no | +| admin_shell | Change the admin shell to enable advanced command line configuration. | string | /etc/cli.sh
/bin/bash
/bin/csh
/bin/tcsh | "/etc/cli.sh" | no | +| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point. | bool | true/false | true | no | +| region | GCP region, the gateways will be randomly deployed in zones within the provided region | string | N/A | "us-central1" | no | +| intercept_deployment_zones | The zones where the **intercept deployment** will be deployed. Ensure the VMs in the service VPC are created in these zones. | list(string) | N/A | "us-central1-a" | no | +| mgmt_network_name | The network determines what network traffic the instance can access. | string | N/A | N/A | yes | +| mgmt_subnetwork_name | Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate using their internal IP addresses as long as they belong to the same network. | string | N/A | N/A | yes | +| mgmt_network_cidr | The range of internal addresses that are owned by this network, only IPv4 is supported (for example "10.0.0.0/8" or "192.168.0.0/16"). | string | N/A |"10.0.1.0/24" | no| +| security_network_name | The network determines what network traffic the instance can access. | string | N/A | N/A | yes | +| security_subnetwork_name | Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate using their internal IP addresses as long as they belong to the same network. | string | N/A | N/A | yes | +| security_network_cidr | The range of internal addresses that are owned by this network, only IPv4 is supported (for example "10.0.0.0/8" or "192.168.0.0/16"). | string | N/A |"10.0.2.0/24" | no| +| ICMP_traffic | (Optional) Source IP ranges for ICMP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Leave an empty list to disable ICMP traffic. | list(string) | N/A | [] | no | +| TCP_traffic | (Optional) Source IP ranges for TCP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Leave an empty list to disable TCP traffic. | list(string) | N/A | [] | no | +| UDP_traffic | (Optional) Source IP ranges for UDP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Leave an empty list to disable UDP traffic. | list(string) | N/A | [] | no | +| SCTP_traffic | (Optional) Source IP ranges for SCTP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Leave an empty list to disable SCTP traffic. | list(string) | N/A | [] | no | +| ESP_traffic | (Optional) Source IP ranges for ESP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Leave an empty list to disable ESP traffic. | list(string) | N/A | [] | no | +| service_network_name | The network determines which network the Web VM will be deployed on and where the intercept endpoint group association will be deployed. | string | N/A | N/A | yes | +| service_subnetwork_name | Assigns the instance an IPv4 address from the subnetwork’s range. Instances in different subnetworks can communicate using their internal IP addresses as long as they belong to the same network. | string | N/A | N/A | yes | +| service_network_cidr | The range of internal addresses that are owned by this network, only IPv4 is supported (for example "10.0.0.0/8" or "192.168.0.0/16"). | string | N/A |"10.0.2.0/24" | no| +| machine_type | Machine Type. | string | N/A | "n1-standard-4" | no | +| cpu_usage | Target CPU usage (%) - Autoscaling adds or removes instances in the group to maintain this level of CPU usage on each instance. | number | number between 10 and 90 | 60 | no | +| instances_min_group_size | The minimal number of instances | number | N/A | 2 | no | +| instances_max_group_size | The maximal number of instances | number | N/A | 10 | no | +| disk_type | Storage space is much less expensive for a standard Persistent Disk. An SSD Persistent Disk is better for random IOPS or streaming throughput with low latency. | string | SSD Persistent Disk
Balanced Persistent Disk
Standard Persistent Disk | "SSD Persistent Disk" | no | +| disk_size | Disk size in GB - Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space. | number | number between 100 and 4096 | 100 | no | +| enable_monitoring | Enable Stackdriver monitoring | bool | true
false | false | no | +| connection_draining_timeout | The time, in seconds, that the load balancer waits for active connections to complete before fully removing an instance from the backend group. | number | N/A | 300 | no | \ No newline at end of file diff --git a/modules/network-security-integration/locals.tf b/modules/network-security-integration/locals.tf new file mode 100644 index 0000000..d6f1a24 --- /dev/null +++ b/modules/network-security-integration/locals.tf @@ -0,0 +1,10 @@ +locals{ + create_mgmt_network_condition = var.mgmt_network_cidr == "" ? false : true + create_security_network_condition = var.security_network_cidr == "" ? false : true + create_service_network_condition = var.service_network_cidr == "" ? false : true + ICMP_traffic_condition = length(var.ICMP_traffic) == 0 ? false : true + TCP_traffic_condition = length(var.TCP_traffic) == 0 ? false : true + UDP_traffic_condition = length(var.UDP_traffic) == 0 ? false : true + SCTP_traffic_condition = length(var.SCTP_traffic) == 0 ? false : true + ESP_traffic_condition = length(var.ESP_traffic) == 0 ? false : true +} \ No newline at end of file diff --git a/modules/network-security-integration/main.tf b/modules/network-security-integration/main.tf new file mode 100644 index 0000000..a0d8e1f --- /dev/null +++ b/modules/network-security-integration/main.tf @@ -0,0 +1,159 @@ +resource "random_string" "nsi_random_string" { + length = 5 + special = false + upper = false + keepers = {} +} +resource "random_string" "random_string" { + length = 5 + special = false + upper = false + keepers = {} +} +module "common" { + source = "../common/common" + installation_type = "Network Security Integration" + os_version = var.os_version + image_name = var.image_name + admin_shell = var.admin_shell + license = var.license + admin_SSH_key = var.admin_SSH_key +} + +module "mgmt_network_and_subnet" { + source = "../common/network-and-subnet" + prefix = "${var.prefix}-mgmt-network-${random_string.nsi_random_string.result}" + type = "nsi" + network_cidr = var.mgmt_network_cidr + private_ip_google_access = true + region = var.region + network_name = var.mgmt_network_name + subnetwork_name = var.mgmt_subnetwork_name +} +module "security_network_and_subnet" { + source = "../common/network-and-subnet" + prefix = "${var.prefix}-security-network-${random_string.nsi_random_string.result}" + type = "nsi" + network_cidr = var.security_network_cidr + private_ip_google_access = true + region = var.region + network_name = var.security_network_name + subnetwork_name = var.security_subnetwork_name +} + +module "service_network_and_subnet" { + source = "../common/network-and-subnet" + prefix = "${var.prefix}-service-network-${random_string.nsi_random_string.result}" + type = "nsi" + network_cidr = var.service_network_cidr + private_ip_google_access = true + region = var.region + network_name = var.service_network_name + subnetwork_name = var.service_subnetwork_name +} + +module "network_ICMP_firewall_rules" { + count = local.ICMP_traffic_condition == true ? 1 :0 + source = "../common/firewall-rule" + protocol = "icmp" + source_ranges = var.ICMP_traffic + rule_name = "${var.prefix}-icmp-${random_string.random_string.result}" + network = local.create_mgmt_network_condition ? module.mgmt_network_and_subnet.new_created_network_link : module.mgmt_network_and_subnet.existing_network_link +} +module "network_TCP_firewall_rules" { + count = local.TCP_traffic_condition == true ? 1 :0 + source = "../common/firewall-rule" + protocol = "tcp" + source_ranges = var.TCP_traffic + rule_name = "${var.prefix}-tcp-${random_string.random_string.result}" + network = local.create_mgmt_network_condition ? module.mgmt_network_and_subnet.new_created_network_link : module.mgmt_network_and_subnet.existing_network_link +} +module "network_UDP_firewall_rules" { + count = local.UDP_traffic_condition == true ? 1 :0 + source = "../common/firewall-rule" + protocol = "udp" + source_ranges = var.UDP_traffic + rule_name = "${var.prefix}-udp-${random_string.random_string.result}" + network = local.create_mgmt_network_condition ? module.mgmt_network_and_subnet.new_created_network_link : module.mgmt_network_and_subnet.existing_network_link +} +module "network_SCTP_firewall_rules" { + count = local.SCTP_traffic_condition == true ? 1 :0 + source = "../common/firewall-rule" + protocol = "sctp" + source_ranges = var.UDP_traffic + rule_name = "${var.prefix}-sctp-${random_string.random_string.result}" + network = local.create_mgmt_network_condition ? module.mgmt_network_and_subnet.new_created_network_link : module.mgmt_network_and_subnet.existing_network_link +} +module "network_ESP_firewall_rules" { + count = local.ESP_traffic_condition == true ? 1 :0 + source = "../common/firewall-rule" + protocol = "esp" + source_ranges = var.ESP_traffic + rule_name = "${var.prefix}-esp-${random_string.random_string.result}" + network = local.create_mgmt_network_condition ? module.mgmt_network_and_subnet.new_created_network_link : module.mgmt_network_and_subnet.existing_network_link +} + +module "security_network_allow_udp_6081_firewall" { + source = "../common/firewall-rule" + protocol = "udp" + source_ranges = [module.security_network_and_subnet.gateway_address] + ports = ["6081"] + rule_name = "${var.prefix}-data-network-allow-udp-6081" + network = local.create_security_network_condition ? module.security_network_and_subnet.new_created_network_link : module.security_network_and_subnet.existing_network_link +} + +module "security_network_allow_tcp_8117_hc_ranges_firewall" { + source = "../common/firewall-rule" + protocol = "tcp" + source_ranges = ["35.191.0.0/16", "130.211.0.0/22"] + ports = ["8117"] + rule_name = "${var.prefix}-data-network-allow-tcp-8117-hc-ranges" + network = local.create_security_network_condition ? module.security_network_and_subnet.new_created_network_link : module.security_network_and_subnet.existing_network_link +} + +module "network-security-integration" { + source = "../common/network-security-integration-common" + + service_account_path = var.service_account_path + project = var.project + organization_id = var.organization_id + + # --- Check Point--- + sic_key = var.sic_key + prefix = var.prefix + image_name = var.image_name + os_version = var.os_version + management_nic = var.management_nic + management_name = var.management_name + configuration_template_name = var.configuration_template_name + generate_password = var.generate_password + admin_SSH_key = var.admin_SSH_key + maintenance_mode_password_hash = var.maintenance_mode_password_hash + admin_shell = var.admin_shell + allow_upload_download = var.allow_upload_download + + # --- Networking --- + region = var.region + intercept_deployment_zones = var.intercept_deployment_zones + mgmt_network = local.create_mgmt_network_condition ? module.mgmt_network_and_subnet.new_created_network_link : module.mgmt_network_and_subnet.existing_network_link + mgmt_subnetwork = local.create_mgmt_network_condition ? module.mgmt_network_and_subnet.new_created_subnet_link : [var.mgmt_subnetwork_name] + security_network = local.create_security_network_condition ? module.security_network_and_subnet.new_created_network_link : module.security_network_and_subnet.existing_network_link + security_subnetwork = local.create_security_network_condition ? module.security_network_and_subnet.new_created_subnet_link : [var.security_subnetwork_name] + service_network = local.create_service_network_condition ? module.service_network_and_subnet.new_created_network_link : module.service_network_and_subnet.existing_network_link + service_subnetwork = local.create_service_network_condition ? module.service_network_and_subnet.new_created_subnet_link : [var.service_subnetwork_name] + ICMP_traffic = var.ICMP_traffic + TCP_traffic = var.TCP_traffic + UDP_traffic = var.UDP_traffic + SCTP_traffic = var.SCTP_traffic + ESP_traffic = var.ESP_traffic + + # --- Instance Configuration --- + machine_type = var.machine_type + cpu_usage = var.cpu_usage + instances_min_group_size = var.instances_min_group_size + instances_max_group_size = var.instances_max_group_size + disk_type = var.disk_type + disk_size = var.disk_size + enable_monitoring = var.enable_monitoring + connection_draining_timeout = var.connection_draining_timeout +} \ No newline at end of file diff --git a/modules/network-security-integration/output.tf b/modules/network-security-integration/output.tf new file mode 100644 index 0000000..0eea9ef --- /dev/null +++ b/modules/network-security-integration/output.tf @@ -0,0 +1,58 @@ +output "mgmt_network_name" { + value = module.mgmt_network_and_subnet.new_created_network_name +} +output "mgmt_subnetwork_name" { + value = module.mgmt_network_and_subnet.new_created_subnet_name +} +output "security_network_name" { + value = module.security_network_and_subnet.new_created_network_name +} +output "security_subnetwork_name" { + value = module.security_network_and_subnet.new_created_subnet_name +} +output "security_network_gateway_address" { + value = module.security_network_and_subnet.gateway_address +} +output "service_network_name" { + value = module.service_network_and_subnet.new_created_network_name +} +output "service_subnetwork_name" { + value = module.service_network_and_subnet.new_created_subnet_name +} +output "network_ICMP_firewall_rule" { + value = module.network_ICMP_firewall_rules[*].firewall_rule_name +} +output "network_TCP_firewall_rule" { + value = module.network_TCP_firewall_rules[*].firewall_rule_name +} +output "network_UDP_firewall_rule" { + value = module.network_UDP_firewall_rules[*].firewall_rule_name +} +output "network_SCTP_firewall_rule" { + value = module.network_SCTP_firewall_rules[*].firewall_rule_name +} +output "network_ESP_firewall_rule" { + value = module.network_ESP_firewall_rules[*].firewall_rule_name +} +output "management_name"{ + value = module.network-security-integration.management_name +} +output "configuration_template_name"{ + value = module.network-security-integration.configuration_template_name +} +output "instance_template_name"{ + value = module.network-security-integration.instance_template_name +} +output "instance_group_manager_name"{ + value = module.network-security-integration.instance_group_manager_name +} +output "autoscaler_name"{ + value = module.network-security-integration.autoscaler_name +} +output "security_policy_id" { + value = module.network-security-integration.security_policy_id +} +output "intercept_endpoint_group_id" { + value = module.network-security-integration.intercept_endpoint_group_id + description = "The ID of the intercept endpoint group." +} \ No newline at end of file diff --git a/modules/network-security-integration/variables.tf b/modules/network-security-integration/variables.tf new file mode 100644 index 0000000..4d402fe --- /dev/null +++ b/modules/network-security-integration/variables.tf @@ -0,0 +1,260 @@ +# Check Point CloudGuard IaaS Network Security Integration - Terraform Template + +# --- Google Provider --- +variable "service_account_path" { + type = string + description = "User service account path in JSON format - From the service account key page in the Cloud Console choose an existing account or create a new one. Next, download the JSON key file. Name it something you can remember, store it somewhere secure on your machine, and supply the path to the location is stored." + default = "" +} +variable "project" { + type = string + description = "Personal project id. The project indicates the default GCP project all of your resources will be created in." + default = "" + validation { + condition = can(regex("^[a-z][a-z0-9-]{4,28}[a-z0-9]$", var.project)) && length(var.project) >= 6 && length(var.project) <= 30 + error_message = "The project ID must be 6-30 characters long, start with a letter, and can only include lowercase letters, numbers, hyphenst and cannot end with a hyphen." + } +} + +variable "organization_id" { + type = string + description = "Organization ID - The organization ID is a unique identifier for your organization in GCP. It is used to manage resources and permissions within your organization." + default = "" +} + +# --- Check Point--- +variable "prefix" { + type = string + description = "(Optional) Resources name prefix" + default = "chkp-tf-nsi" +} +variable "license" { + type = string + description = "Checkpoint license (BYOL)." + default = "BYOL" + validation { + condition = contains(["BYOL"] , var.license) + error_message = "Allowed licenses are 'BYOL'" + } +} +variable "image_name" { + type = string + description = "The NSI image name (e.g. check-point-r8120-gw-byol-nsi-631-991001866-v20250731)." +} +variable "os_version" { + type = string + description = "GAIA OS version" + default = "R8120" +} +variable "management_nic" { + type = string + description = "Management Interface - Autoscaling Security Gateways in GCP can be managed by an ephemeral public IP or using the private IP of the internal interface (eth1)." + default = "Ephemeral Public IP (eth0)" + validation { + condition = contains(["Ephemeral Public IP (eth0)", "Private IP (eth0)"], var.management_nic) + error_message = "Allowed values for management_nic are 'Ephemeral Public IP (eth0)', 'Private IP (eth0)'" + } +} +variable "management_name" { + type = string + description = "The name of the Security Management Server as appears in autoprovisioning configuration. (Please enter a valid Security Management name including ascii characters only)" + default = "tf-checkpoint-management" +} +variable "configuration_template_name" { + type = string + description = "Specify the provisioning configuration template name (for autoprovisioning). (Please enter a valid autoprovisioing configuration template name including ascii characters only)" + default = "tf-asg-autoprov-tmplt" +} +variable "generate_password" { + type = bool + description = "Automatically generate an administrator password" + default = false +} +variable "admin_SSH_key" { + type = string + description = "(Optional) The SSH public key for SSH authentication to the MIG instances. Leave this field blank to use all project-wide pre-configured SSH keys." + default = "" +} +variable "maintenance_mode_password_hash" { + description = "Maintenance mode password hash, relevant only for R81.20 and higher versions" + type = string + default = "" +} +variable "admin_shell" { + type = string + description = "Change the admin shell to enable advanced command line configuration." + default = "/etc/cli.sh" + validation { + condition = contains(["/etc/cli.sh", "/bin/bash", "/bin/tcsh", "/bin/csh"], var.admin_shell) + error_message = "Valid shells are '/etc/cli.sh', '/bin/bash', '/bin/tcsh', '/bin/csh'" + } +} +variable "allow_upload_download" { + type = bool + description = "Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point" + default = true +} + +variable "sic_key" { + type = string + description ="The Secure Internal Communication one time secret used to set up trust between the gatewayes objects and the management server" + default = "" + validation { + condition = can(regex("^[a-z0-9A-Z]{12,30}$", var.sic_key)) + error_message = "Only alphanumeric characters are allowed, and the value must be 12-30 characters long." + } +} + +# --- Networking --- +data "google_compute_regions" "available_regions" { +} +variable "region" { + type = string + default = "us-central1" +} + +data "google_compute_zones" "available_zones" { + region = var.region +} + +variable "intercept_deployment_zones" { + type = list(string) + description = "The list of zones for which a network security intercept deployment will be deployed. The zones must be in the same region as the deployment." + default = ["us-central1-a"] + validation { + condition = length(var.intercept_deployment_zones) > 0 + error_message = "The intercept_deployment_zones variable must contain at least one zone." + } + validation { + condition = length([ + for zone in var.intercept_deployment_zones : + zone if contains(data.google_compute_zones.available_zones.names, zone) + ]) == length(var.intercept_deployment_zones) + error_message = "One or more specified zones are not available in the selected region ${var.region}. Please choose zones within this region." + } +} + +variable "mgmt_network_cidr" { + type = string + description = "The range of external addresses that are owned by this network, only IPv4 is supported (e.g. \"10.0.0.0/8\" or \"192.168.0.0/16\")." + default = "10.0.1.0/24" +} +variable "security_network_cidr" { + type = string + description = "The range of internal addresses that are owned by this network, only IPv4 is supported (e.g. \"10.0.0.0/8\" or \"192.168.0.0/16\")." + default = "10.0.2.0/24" +} +variable "ICMP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for ICMP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ICMP traffic." + default = [] +} +variable "TCP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for TCP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable TCP traffic." + default = [] +} +variable "UDP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for UDP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable UDP traffic." + default = [] +} +variable "SCTP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for SCTP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable SCTP traffic." + default = [] +} +variable "ESP_traffic" { + type = list(string) + description = "(Optional) Source IP ranges for ESP traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. Please leave empty list to unable ESP traffic." + default = [] +} + +# --- Instance Configuration --- +variable "machine_type" { + type = string + default = "n2-standard-4" +} +variable "cpu_usage" { + type = number + description = "Target CPU usage (%) - Autoscaling adds or removes instances in the group to maintain this level of CPU usage on each instance." + default = 60 +} +resource "null_resource" "cpu_usage_validation" { + // Will fail if var.cpu_usage is less than 10 or more than 90 + count = var.cpu_usage >= 10 && var.cpu_usage <= 90 ? 0 : "variable cpu_usage must be a number between 10 and 90" +} +variable "instances_min_group_size" { + type = number + description = "The minimal number of instances" + default = 2 +} +variable "instances_max_group_size" { + type = number + description = "The maximal number of instances" + default = 10 +} +variable "mgmt_network_name" { + type = string + description = "The network determines what network traffic the instance can access" + default = "" +} +variable "mgmt_subnetwork_name" { + type = string + description = "Assigns the instance an IPv4 address from the subnetwork's range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network." +} +variable "security_network_name" { + type = string + description = "The network determines what network traffic the instance can access" +} +variable "security_subnetwork_name" { + type = string + description = "Assigns the instance an IPv4 address from the subnetwork's range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network." +} +variable "disk_type" { + type = string + description = "Storage space is much less expensive for a standard Persistent Disk. An SSD Persistent Disk is better for random IOPS or streaming throughput with low latency." + default = "SSD Persistent Disk" + validation { + condition = contains(["SSD Persistent Disk" , "Standard Persistent Disk"] , var.disk_type) + error_message = "Allowed values for diskType are : 'SSD Persistent Disk' , 'Standard Persistent Disk'" + } +} +variable "disk_size" { + type = number + description = "Disk size in GB - Persistent disk performance is tied to the size of the persistent disk volume. You are charged for the actual amount of provisioned disk space." + default = 100 +} +resource "null_resource" "disk_size_validation" { + // Will fail if var.disk_size is less than 100 or more than 4096 + count = var.disk_size >= 100 && var.disk_size <= 4096 ? 0 : "variable disk_size must be a number between 100 and 4096" +} +variable "enable_monitoring" { + type = bool + description = "Enable Stackdriver monitoring" + default = false +} + +variable "service_network_name" { + type = string + description = "The network determines what network traffic the instance can access" + default = "" +} + +variable "service_subnetwork_name" { + type = string + description = "Assigns the instance an IPv4 address from the subnetwork's range. Instances in different subnetworks can communicate with each other using their internal IPs as long as they belong to the same network." + default = "" +} + +variable "service_network_cidr" { + type = string + description = "The range of external addresses that are owned by this network, only IPv4 is supported (e.g. \"10.0.0.0/8\" or \"192.168.0.0/16\")." + default = "10.0.3.0/24" +} + +variable "connection_draining_timeout" { + type = number + description = "The time, in seconds, that the load balancer waits for active connections to complete before fully removing an instance from the backend group. The default value is 300 seconds." + default = 300 +} \ No newline at end of file diff --git a/modules/network-security-integration/versions.tf b/modules/network-security-integration/versions.tf new file mode 100644 index 0000000..8212362 --- /dev/null +++ b/modules/network-security-integration/versions.tf @@ -0,0 +1,18 @@ +terraform { + required_version = ">= 0.13" + required_providers { + google = { + source = "hashicorp/google" + version = ">= 3.53, < 5.0" + } + + random = { + source = "hashicorp/random" + version = "~>3.4" + } + } + + provider_meta "google" { + module_name = "blueprints/terraform/canonical-mp/v0.0.1" + } +} \ No newline at end of file