This Terraform module deploys Check Point CloudGuard IaaS High Availability solution into a new Vnet in Azure. As part of the deployment the following resources are created:
- Resource group
- Virtual network
- Network security group
- System assigned identity
- Availability Set - conditional creation
For additional information, please see the CloudGuard Network for Azure High Availability Cluster Deployment Guide
This solution uses the following modules:
- /terraform/azure/modules/common - used for creating a resource group and defining common variables.
- /terraform/azure/modules/vnet - used for creating new virtual network and subnets.
- /terraform/azure/modules/network-security-group - used for creating new network security groups and rules.
- Install and configure Terraform to provision Azure resources: Configure Terraform for Azure
- In order to use ssh connection to VMs, it is required to add a public key to the /terraform/azure/high-availability-new-vnet/azure_public_key file.
-
Choose the preferred login method to Azure in order to deploy the solution:
1. Using Service Principal:-
Create a Service Principal (or use the existing one)
-
Grant the Service Principal at least "Managed Application Contributor", "Storage Account Contributor", "Network Contributor", "Virtual Machine Contributor", "User Access Administrator" permissions to the Azure subscription
-
The Service Principal credentials can be stored either in the terraform.tfvars or as Environment Variables
In case the Environment Variables are used, perform modifications described below:
a. The next lines in the main.tf file, in the provider azurerm resource, need to be deleted or commented:
provider "azurerm" { // subscription_id = var.subscription_id // client_id = var.client_id // client_secret = var.client_secret // tenant_id = var.tenant_id features {} }
b. In the terraform.tfvars file leave empty double quotes for client_secret, client_id , tenant_id and subscription_id variables:
client_secret = "" client_id = "" tenant_id = "" subscription_id = ""
2. Using az commands from a command-line:-
Run az login command
-
Sign in with your account credentials in the browser
-
Accept Azure Marketplace image terms by running:
az vm image terms accept --urn publisher:offer:sku:version, where:- publisher = checkpoint;
- offer = vm_os_offer (see accepted values in the table below);
- sku = vm_os_sku (see accepted values in the table below);
- version = latest
Example:
az vm image terms accept --urn checkpoint:check-point-cg-r8040:sg-byol:latest
-
In the terraform.tfvars file leave empty double quotes for client_secret, client_id and tenant_id variables.
-
-
Fill all variables in the /terraform/azure/high-availability-new-vnet/terraform.tfvars file with proper values (see below for variables descriptions).
-
From a command line initialize the Terraform configuration directory:
terraform init
-
Create an execution plan:
terraform plan
-
Create or modify the deployment:
terraform apply
Name | Description | Type | Allowed values |
---|---|---|---|
client_secret | passwordThe client secret of the Service Principal used to deploy the solution | string | |
client_id | The client ID of the Service Principal used to deploy the solution | string | |
tenant_id | The tenant ID of the Service Principal used to deploy the solution | string | |
subscription_id | The subscription ID is used to pay for Azure cloud services | string | |
source_image_vhd_uri | The URI of the blob containing the development image. Please use noCustomUri if you want to use marketplace images. | string | |
resource_group_name | The name of the resource group that will contain the contents of the deployment | string | Resource group names only allow alphanumeric characters, periods, underscores, hyphens and parenthesis and cannot end in a period |
location | The region where the resources will be deployed at. | string | The full list of Azure regions can be found at https://azure.microsoft.com/regions |
cluster_name | The name of the Check Point Cluster Object | string | Only alphanumeric characters are allowed, and the name must be 1-30 characters long |
vnet_name | The name of virtual network that will be created | string | The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens |
address_space | The address prefixes of the virtual network | string | Valid CIDR block |
subnet_prefixes | The address prefixes to be used for created subnets | string | The subnets need to contain within the address space for this virtual network(defined by address_space variable) |
admin_password | The password associated with the local administrator account on each cluster member | string | Password must have 3 of the following: 1 lower case character, 1 upper case character, 1 number, and 1 special character |
smart_1_cloud_token_a | Smart-1 Cloud token to connect automatically Member A to Check Point's Security Management as a Service. Follow these instructions to quickly connect this member to Smart-1 Cloud - SK180501 |
string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal |
smart_1_cloud_token_b | Smart-1 Cloud token to connect automatically Member B to Check Point's Security Management as a Service. Follow these instructions to quickly connect this member to Smart-1 Cloud - SK180501 |
string | A valid token copied from the Connect Gateway screen in Smart-1 Cloud portal |
sic_key | The Secure Internal Communication one time secret used to set up trust between the cluster object and the management server | string | Only alphanumeric characters are allowed, and the value must be 12-30 characters long |
vm_size | Specifies the size of Virtual Machine | string | "Standard_DS2_v2", "Standard_DS3_v2", "Standard_DS4_v2", "Standard_DS5_v2", "Standard_F2s", "Standard_F4s", "Standard_F8s", "Standard_F16s", "Standard_D4s_v3", "Standard_D8s_v3", "Standard_D16s_v3", "Standard_D32s_v3", "Standard_D64s_v3", "Standard_E4s_v3", "Standard_E8s_v3", "Standard_E16s_v3", "Standard_E20s_v3", "Standard_E32s_v3", "Standard_E64s_v3", "Standard_E64is_v3", "Standard_F4s_v2", "Standard_F8s_v2", "Standard_F16s_v2", "Standard_F32s_v2", "Standard_F64s_v2", "Standard_M8ms", "Standard_M16ms", "Standard_M32ms", "Standard_M64ms", "Standard_M64s", "Standard_D2_v2", "Standard_D3_v2", "Standard_D4_v2", "Standard_D5_v2", "Standard_D11_v2", "Standard_D12_v2", "Standard_D13_v2", "Standard_D14_v2", "Standard_D15_v2", "Standard_F2", "Standard_F4", "Standard_F8", "Standard_F16", "Standard_D4_v3", "Standard_D8_v3", "Standard_D16_v3", "Standard_D32_v3", "Standard_D64_v3", "Standard_E4_v3", "Standard_E8_v3", "Standard_E16_v3", "Standard_E20_v3", "Standard_E32_v3", "Standard_E64_v3", "Standard_E64i_v3", "Standard_DS11_v2", "Standard_DS12_v2", "Standard_DS13_v2", "Standard_DS14_v2", "Standard_DS15_v2", "Standard_D2_v5", "Standard_D4_v5", "Standard_D8_v5", "Standard_D16_v5","Standard_D32_v5", "Standard_D2s_v5", "Standard_D4s_v5", "Standard_D8s_v5", "Standard_D16s_v5", "Standard_D2d_v5", "Standard_D4d_v5", "Standard_D8d_v5", "Standard_D16d_v5", "Standard_D32d_v5", "Standard_D2ds_v5", "Standard_D4ds_v5", "Standard_D8ds_v5", "Standard_D16ds_v5", "Standard_D32ds_v5" |
disk_size | Storage data disk size size(GB) | string | A number in the range 100 - 3995 (GB) |
vm_os_sku | A sku of the image to be deployed | string | "sg-byol" - BYOL license for R80.40 and above; "sg-ngtp" - NGTP PAYG license for R80.40 and above; "sg-ngtx" - NGTX PAYG license for R80.40 and above |
vm_os_offer | The name of the image offer to be deployed | string | "check-point-cg-r8040"; "check-point-cg-r81"; "check-point-cg-r8110"; "check-point-cg-r8120"; |
os_version | GAIA OS version | string | "R8040"; "R81"; "R8110"; "R8120"; |
bootstrap_script | An optional script to run on the initial boot | string | Bootstrap script example: "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt" The script will create bootstrap.txt file in the /home/admin/ and add 'hello word' string into it |
allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | boolean | true; false; |
authentication_type | Specifies whether a password authentication or SSH Public Key authentication should be used | string | "Password"; "SSH Public Key"; |
availability_type | Specifies whether to deploy the solution based on Azure Availability Set or based on Azure Availability Zone. | string | "Availability Zone"; "Availability Set"; |
enable_custom_metrics | Indicates whether CloudGuard Metrics will be use for Cluster members monitoring. | boolean | true; false; |
enable_floating_ip | Indicates whether the load balancers will be deployed with floating IP. | boolean | true; false; |
use_public_ip_prefix | Indicates whether the public IP resources will be deployed with public IP prefix. | boolean | true; false; |
create_public_ip_prefix | Indicates whether the public IP prefix will created or an existing will be used. | boolean | true; false; |
existing_public_ip_prefix_id | The existing public IP prefix resource id. | string | Existing public IP prefix resource id |
admin_shell | Enables to select different admin shells | string | /etc/cli.sh; /bin/bash; /bin/csh; /bin/tcsh; |
serial_console_password_hash | Optional parameter, used to enable serial console connection in case of SSH key as authentication type, to generate password hash use the command 'openssl passwd -6 PASSWORD' on Linux and paste it here. | string | |
maintenance_mode_password_hash | Maintenance mode password hash, relevant only for R81.20 and higher versions, to generate a password hash use the command 'grub2-mkpasswd-pbkdf2' on Linux and paste it here. | string |
- To deploy the solution based on Azure Availability Set and create a new Availability Set for the virtual machines:
availability_type = "Availability Set"
Otherwise, to deploy the solution based on Azure Availability Zone:
availability_type = "Availability Zone"
- To enable CloudGuard metrics in order to send statuses and statistics collected from HA instances to the Azure Monitor service:
enable_custom_metrics = true
- To create new public IP prefix for the public IP:
use_public_ip_prefix = true create_public_ip_prefix = true
- To use an exisiting public IP prefix for the public IP:
use_public_ip_prefix = true create_public_ip_prefix = false existing_public_ip_prefix_id = "public IP prefix resource id"
client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
tenant_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
subscription_id = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
source_image_vhd_uri = "noCustomUri"
resource_group_name = "checkpoint-ha-terraform"
cluster_name = "checkpoint-ha-terraform"
location = "eastus"
vnet_name = "checkpoint-ha-vnet"
address_space = "10.0.0.0/16"
subnet_prefixes = ["10.0.1.0/24","10.0.2.0/24"]
admin_password = "xxxxxxxxxxxx"
smart_1_cloud_token_a = "xxxxxxxxxxxx"
smart_1_cloud_token_b = "xxxxxxxxxxxx"
sic_key = "xxxxxxxxxxxx"
vm_size = "Standard_D3_v2"
disk_size = "110"
vm_os_sku = "sg-byol"
vm_os_offer = "check-point-cg-r8110"
os_version = "R8110"
bootstrap_script = "touch /home/admin/bootstrap.txt; echo 'hello_world' > /home/admin/bootstrap.txt"
allow_upload_download = true
authentication_type = "Password"
availability_type = "Availability Zone"
enable_custom_metrics = true
enable_floating_ip = false
use_public_ip_prefix = false
create_public_ip_prefix = false
existing_public_ip_prefix_id = ""
admin_shell = "/etc/cli.sh"
serial_console_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
maintenance_mode_password_hash = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
In order to check the template version refer to the sk116585
Template Version | Description |
---|---|
20230212 | - Added Smart-1 Cloud support |
20221124 | - Added R81.20 support - Upgraded azurerm provider |
20220111 | - Added support to select different shells. |
20210309 | - Add "source_image_vhd_uri" variable for using a custom development image |
20210111 | - Update terraform version to 0.14.3 - Update azurerm version to 2.17.0 - Add authentication_type variable for choosing the authentication type. - Merge ha-availability-set-new-vnet and ha-availability-zones-new-vnet deployments to one deployment. - Adding support for R81. - Add support to CloudGuards metrics. - Update resources for NSG #67 - The cluster member current state is kept when redeploying. - Avoid role-assignment re-creation when re-apply |
20200508 | - Add backend load balancer rules resource. - Rename the health probe for the backend load balancer. - Rename the template name to "ha" |
20200305 | First release of Check Point CloudGuard IaaS High Availability Terraform deployment for Azure |
Addition of "templateType" parameter to "cloud-version" files. | |
See the LICENSE file for details