AWS GWLB add ipv6 support (#9)

* Add new file

* Update README.md

* README Update

* Adding modules for AWS Check Point deployments

* Updated user data values

* VSECPC-9954 | Adding .gitatributes file

* Edit README.md

* AWS GWLB add ipv6 support

---------

Co-authored-by: avivm <avivm@checkpoint.com>
Co-authored-by: guybarak <guybarak@checkpoint.com>
Co-authored-by: eviatars <eviatars@checkpoint.com>
Co-authored-by: yizhako <yizhako@checkpoint.com>

Author: 5 people

modules/autoscale_gwlb/README.md

@@ -66,10 +66,10 @@ module "example_module" {
     allow_upload_download = true
     enable_cloudwatch = false
     gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+    enable_ipv6 = false
 }
 ```
 
-
 ## Inputs
 
 | Name                                   | Description                                                                                                                                                                     | Type         | Allowed Values                                                                                                 |
@@ -103,7 +103,7 @@ module "example_module" {
 | volume_type                            | General Purpose SSD Volume Type                                                                                                                                               | string       | - gp3<br>- gp2<br>**Default:** gp3                                                                            |
 | gateway_maintenance_mode_password_hash | (Optional) Maintenance-mode password for recovery purposes.                                                                                                                    | string       |                                                                                                               |
  security_rules | List of security rules for ingress and egress.                                                         | list(object({<br/>    direction   = string    <br/>from_port   = any    <br/>to_port     = any <br/>protocol    = any <br/>cidr_blocks = list(any)<br/>}))         | **Default:** []|
-
+| enable_ipv6                            | Enables dual-stack networking (IPv4 and IPv6) for the GWLB, [Please see version compatibility in the following guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_AWS_Gateway_Load_Balancer_ASG/Content/Topics-AWS-GWLB-ASG-DG/IPv6-Support.htm)    | bool         | true/false<br>**Default:** false 
 
 
 ## Outputs
@@ -115,6 +115,7 @@ output "instance_public_ip" {
 ```
 | Name                                           | Description                                                       |
 |------------------------------------------------|-------------------------------------------------------------------|
+| 20250508                                       |Added support for IPv6 traffic settings                            |                                                                                                                           |
 | autoscale_autoscaling_group_name               | The name of the deployed AutoScaling Group                        |
 | autoscale_autoscaling_group_arn                | The ARN for the deployed AutoScaling Group                        |
 | autoscale_autoscaling_group_availability_zones | The AZs on which the Autoscaling Group is configured              |

modules/autoscale_gwlb/asg_userdata_ipv6.yaml

@@ -0,0 +1,33 @@
+#cloud-config
+network:
+  version: 1
+  config:
+  - type: bridge
+    name: br0
+    mtu: *eth0-mtu
+    subnets:
+      - address: *eth0-private
+        type: static
+        gateway: *default-gateway
+        dns_nameservers:
+        - *eth0-dns1
+    bridge_interfaces:
+      - eth0
+kernel_parameters:
+  sim:
+    - sim_geneve_enabled=1
+    - sim_geneve_br_dev=br0
+  fw:
+
+    - fwtls_bridge_mode_inspection=1
+    - fw_geneve_enabled=1
+bootcmd:
+    - echo "brctl hairpin br0 eth0 on" >> /etc/rc.local
+    - echo "cpprod_util CPPROD_SetValue \"fw1\" \"AwsGwlb\" 4 1 1" >> /etc/rc.local
+    - cp /etc/basedb /etc/basedb.bak
+    - grep -vx "ipv6 t" /etc/basedb.bak | grep -vx "ipv6 f" > /etc/basedb;
+    - echo "ipv6 t" >> /etc/basedb
+    - /etc/rc3.d/S07ipv6gen
+runcmd:
+  - |
+    python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" installationType=\"autoscale\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"autoscale_gwlb\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" bootstrapScript64=\"${BootstrapScript}\"

modules/autoscale_gwlb/main.tf

@@ -10,49 +10,43 @@ resource "aws_security_group" "permissive_sg" {
   name_prefix = format("%s_PermissiveSecurityGroup", local.asg_name)
   description = "Permissive security group"
   vpc_id = var.vpc_id
-  
-  dynamic "ingress" {
-    for_each = [for rule in var.security_rules : rule if rule.direction == "ingress"]
-    content {
-      from_port   = ingress.value.from_port
-      to_port     = ingress.value.to_port
-      protocol    = ingress.value.protocol
-      cidr_blocks = ingress.value.cidr_blocks
+  tags = {
+    Name = format("%s_PermissiveSecurityGroup", local.asg_name)
     }
   }  
 
-  dynamic ingress {
-    for_each = length([for rule in var.security_rules : rule if rule.direction == "ingress"]) == 0 ? [1] : []
-    content{
+resource "aws_vpc_security_group_ingress_rule" "ingress_rule_ipv4" {
+  security_group_id = aws_security_group.permissive_sg.id
+  cidr_ipv4         = "0.0.0.0/0"
         from_port    = 0
+  ip_protocol       = "-1"
         to_port      = 0
-        protocol     = "-1"
-        cidr_blocks  = ["0.0.0.0/0"]
     }
-  }
 
-  dynamic "egress" {
-    for_each = [for rule in var.security_rules : rule if rule.direction == "egress"]
-    content {
-      from_port   = egress.value.from_port
-      to_port     = egress.value.to_port
-      protocol    = egress.value.protocol
-      cidr_blocks = egress.value.cidr_blocks
-    }
+resource "aws_vpc_security_group_egress_rule" "egress_rule_ipv4" {
+  security_group_id = aws_security_group.permissive_sg.id
+  cidr_ipv4         = "0.0.0.0/0"
+    from_port = 0
+  ip_protocol       = "-1"
+    to_port = 0
+  }
+
+resource "aws_vpc_security_group_ingress_rule" "ingress_rule_ipv6" {
+  count = var.enable_ipv6 ? 1 : 0
+  security_group_id = aws_security_group.permissive_sg.id
+  cidr_ipv6         = "::/0"
+  from_port         = 0
+  ip_protocol       = "-1"
+  to_port           = 0
   }  
 
-  dynamic egress {
-    for_each = length([for rule in var.security_rules : rule if rule.direction == "egress"]) == 0 ? [1] : []
-    content{
+resource "aws_vpc_security_group_egress_rule" "egress_rule_ipv6" {
+  count = var.enable_ipv6 ? 1 : 0
+  security_group_id = aws_security_group.permissive_sg.id
+  cidr_ipv6         = "::/0"
         from_port    = 0
+  ip_protocol       = "-1"
         to_port      = 0
-        protocol     = "-1"
-        cidr_blocks  = ["0.0.0.0/0"]
-    }
-  }
-  tags = {
-    Name = format("%s_PermissiveSecurityGroup", local.asg_name)
-  }
 }
 
 resource "aws_launch_template" "asg_launch_template" {
@@ -87,7 +81,7 @@ resource "aws_launch_template" "asg_launch_template" {
 
   description = "Initial template version"
 
-  user_data = base64encode(templatefile("${path.module}/asg_userdata.yaml", {
+  user_data = base64encode(templatefile("${path.module}/${var.enable_ipv6 ? "asg_userdata_ipv6.yaml" : "asg_userdata.yaml"}", {
     // script's arguments
     PasswordHash = local.gateway_password_hash_base64,
     MaintenanceModePassword = local.maintenance_mode_password_hash_base64,
@@ -98,6 +92,7 @@ resource "aws_launch_template" "asg_launch_template" {
     AllowUploadDownload = var.allow_upload_download,
     BootstrapScript = local.gateway_bootstrap_script64,
     OsVersion = local.version_split
+    enable_ipv6 = var.enable_ipv6
   }))
 }
 resource "aws_autoscaling_group" "asg" {

modules/autoscale_gwlb/output.tf

@@ -39,3 +39,6 @@ output "autoscale_iam_role_name" {
   value = aws_iam_role.role.*.name
 }
 
+output "enable_ipv6"{
+  value = var.enable_ipv6
+}

modules/autoscale_gwlb/variables.tf

@@ -190,4 +190,9 @@ variable "security_rules" {
     cidr_blocks = list(string)
   }))
   default = []
+}
+variable "enable_ipv6" {
+  type = bool
+  description = "Enable IPv6 settings of AWS resources."
+  default = false
 }

modules/gwlb/README.md

@@ -137,6 +137,7 @@ module "example_module" {
 | volume_type                            | General Purpose SSD Volume Type                                                                                                                                                                                                | string | - gp3<br>- gp2<br>**Default:** gp3                                                                     |
 | gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). | string |                                                                                                      |
 | management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). | string |                                                                                                      |
+| enable_ipv6                               | Enables dual-stack networking (IPv4 and IPv6) for the GWLB, [Please see version compatibility in the following guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_AWS_Gateway_Load_Balancer_ASG/Content/Topics-AWS-GWLB-ASG-DG/IPv6-Support.htm) | bool   | true/false<br>**Default:** false                                         |
 
 ## Outputs
 To display the outputs defined by the module, create an `outputs.tf` file with the following structure:
@@ -154,5 +155,5 @@ output "instance_public_ip" {
 | gwlb_name           | The name of the deployed Gateway Load Balancer                                        |
 | gwlb_service_name   | The service name for the deployed Gateway Load Balancer                               |
 | gwlb_arn            | The arn for the deployed Gateway Load Balancer                                        |
-
+| enable_ipv6         | Dual-stack IPv4/IPv6 compatible                                                       |
 

modules/gwlb/main.tf

@@ -18,13 +18,14 @@ module "gateway_load_balancer" {
   target_group_port = 6081
   listener_port = 6081
   cross_zone_load_balancing = var.enable_cross_zone_load_balancing
+  enable_ipv6 = var.enable_ipv6
 }
 
 resource "aws_vpc_endpoint_service" "gwlb_endpoint_service" {
 depends_on = [module.gateway_load_balancer]
   gateway_load_balancer_arns = module.gateway_load_balancer[*].load_balancer_arn
   acceptance_required        = var.connection_acceptance_required
-
+  supported_ip_address_types = var.enable_ipv6 ? ["ipv4", "ipv6"] : ["ipv4"]
   tags = {
     "Name" = "gwlb-endpoint-service-${var.gateway_load_balancer_name}"
   }
@@ -58,6 +59,7 @@ module "autoscale_gwlb" {
   management_server = var.management_server
   configuration_template = var.configuration_template
   volume_type = var.volume_type
+  enable_ipv6 = var.enable_ipv6
 }
 
 data "aws_region" "current"{}

modules/gwlb/output.tf

@@ -19,4 +19,7 @@ output "controller_name" {
 }
 output "template_name" {
   value = var.configuration_template
+}
+output "enable_ipv6"{
+  value = var.enable_ipv6
 }

modules/gwlb/variables.tf

@@ -243,4 +243,9 @@ variable "volume_type" {
   type = string
   description = "General Purpose SSD Volume Type"
   default = "gp3"
+}
+variable "enable_ipv6" {
+  type = bool
+  description = "Enable IPv6 settings of AWS resources."
+  default = false
 }