From da2115d6ba4d9bd1cfde64e1c583df2e5f92edd4 Mon Sep 17 00:00:00 2001 From: noamcoh Date: Tue, 28 Oct 2025 17:00:22 +0000 Subject: [PATCH] feat(VSECPC-10307): Master modules utilize nested modules --- modules/autoscale_master/main.tf | 306 ++++---------------------- modules/autoscale_master/output.tf | 25 +-- modules/autoscale_master/versions.tf | 2 +- modules/management_master/main.tf | 267 ++++------------------ modules/management_master/output.tf | 10 +- modules/management_master/versions.tf | 2 +- modules/mds_master/main.tf | 237 +++----------------- modules/mds_master/output.tf | 15 +- modules/mds_master/versions.tf | 2 +- 9 files changed, 147 insertions(+), 719 deletions(-) diff --git a/modules/autoscale_master/main.tf b/modules/autoscale_master/main.tf index 35fedbe..34723e4 100644 --- a/modules/autoscale_master/main.tf +++ b/modules/autoscale_master/main.tf @@ -7,273 +7,49 @@ module "launch_vpc" { subnets_bit_length = var.subnets_bit_length } -module "amis" { - source = "../amis" +module "launch_autoscale_into_vpc" { + source = "../autoscale" - version_license = var.gateway_version -} - -resource "aws_security_group" "permissive_sg" { - name_prefix = format("%s_PermissiveSecurityGroup", local.asg_name) - description = "Permissive security group" vpc_id = module.launch_vpc.vpc_id - - dynamic "ingress" { - for_each = [for rule in var.security_rules : rule if rule.direction == "ingress"] - content { - from_port = ingress.value.from_port - to_port = ingress.value.to_port - protocol = ingress.value.protocol - cidr_blocks = ingress.value.cidr_blocks - } - } - - dynamic ingress { - for_each = length([for rule in var.security_rules : rule if rule.direction == "ingress"]) == 0 ? [1] : [] - content{ - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - } + subnet_ids = module.launch_vpc.public_subnets_ids_list - dynamic "egress" { - for_each = [for rule in var.security_rules : rule if rule.direction == "egress"] - content { - from_port = egress.value.from_port - to_port = egress.value.to_port - protocol = egress.value.protocol - cidr_blocks = egress.value.cidr_blocks - } - } - - dynamic egress { - for_each = length([for rule in var.security_rules : rule if rule.direction == "egress"]) == 0 ? [1] : [] - content{ - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - } - tags = { - Name = format("%s_PermissiveSecurityGroup", local.asg_name) - } -} - -resource "aws_launch_template" "asg_launch_template" { - name_prefix = local.asg_name - image_id = module.amis.ami_id - instance_type = var.gateway_instance_type + // --- General Settings --- + prefix = var.prefix + asg_name = var.asg_name + gateway_name = var.gateway_name + gateway_instance_type = var.gateway_instance_type key_name = var.key_name - network_interfaces { - associate_public_ip_address = true - security_groups = [aws_security_group.permissive_sg.id] - } - - metadata_options { - http_tokens = var.metadata_imdsv2_required ? "required" : "optional" - } - - iam_instance_profile { - name = ( var.enable_cloudwatch ? aws_iam_instance_profile.instance_profile[0].name : "") - } - monitoring { - enabled = true - } - - block_device_mappings { - device_name = "/dev/xvda" - ebs { - volume_type = "gp3" - volume_size = var.volume_size - encrypted = var.enable_volume_encryption - } - } - description = "Initial template version" - - - user_data = base64encode(templatefile("${path.module}/asg_userdata.yaml", { - // script's arguments - PasswordHash = local.gateway_password_hash_base64, - MaintenanceModePassword = local.maintenance_mode_password_hash_base64 - EnableCloudWatch = var.enable_cloudwatch, - EnableInstanceConnect = var.enable_instance_connect, - Shell = var.admin_shell, - SICKey = local.gateway_SICkey_base64, - AllowUploadDownload = var.allow_upload_download, - BootstrapScript = local.gateway_bootstrap_script64, - OsVersion = local.version_split - })) -} -resource "aws_autoscaling_group" "asg" { - name_prefix = local.asg_name - launch_template { - id = aws_launch_template.asg_launch_template.id - version = aws_launch_template.asg_launch_template.latest_version - } - min_size = var.minimum_group_size - max_size = var.maximum_group_size - load_balancers = aws_elb.proxy_elb.*.name - target_group_arns = var.target_groups - vpc_zone_identifier = module.launch_vpc.public_subnets_ids_list - health_check_grace_period = 3600 - health_check_type = "ELB" - - tag { - key = "Name" - value = format("%s%s", var.prefix != "" ? format("%s-", var.prefix) : "", var.gateway_name) - propagate_at_launch = true - } - - tag { - key = "x-chkp-tags" - value = format("management=%s:template=%s:ip-address=%s", var.management_server, var.configuration_template, var.gateways_provision_address_type) - propagate_at_launch = true - } - - dynamic "tag" { - for_each = var.instances_tags - content { - key = tag.key - value = tag.value - propagate_at_launch = true - } - } -} - -data "aws_iam_policy_document" "assume_role_policy_document" { - version = "2012-10-17" - statement { - actions = ["sts:AssumeRole"] - principals { - type = "Service" - identifiers = ["ec2.amazonaws.com"] - } - effect = "Allow" - } -} - -resource "aws_iam_role" "role" { - count = local.create_iam_role - name_prefix = format("%s-iam_role", local.asg_name) - assume_role_policy = data.aws_iam_policy_document.assume_role_policy_document.json - path = "/" -} -module "attach_cloudwatch_policy" { - source = "../cloudwatch_policy" - count = local.create_iam_role - role = aws_iam_role.role[count.index].name - tag_name = local.asg_name -} - -resource "aws_iam_instance_profile" "instance_profile" { - count = local.create_iam_role - name_prefix = format("%s-iam_instance_profile", local.asg_name) - path = "/" - role = aws_iam_role.role[count.index].name -} - -// Proxy ELB -locals { - proxy_elb_condition = var.proxy_elb_type != "none" ? 1 : 0 -} -resource "random_id" "proxy_elb_uuid" { - byte_length = 5 -} -resource "aws_elb" "proxy_elb" { - count = local.proxy_elb_condition - name = format("%s-proxy-elb-%s", var.prefix, random_id.proxy_elb_uuid.hex) - internal = var.proxy_elb_type == "internal" - cross_zone_load_balancing = true - listener { - instance_port = var.proxy_elb_port - instance_protocol = "TCP" - lb_port = var.proxy_elb_port - lb_protocol = "TCP" - } - health_check { - target = format("TCP:%s", var.proxy_elb_port) - healthy_threshold = 3 - unhealthy_threshold = 5 - interval = 30 - timeout = 5 - } - subnets = module.launch_vpc.public_subnets_ids_list - security_groups = [aws_security_group.elb_security_group[count.index].id] -} -resource "aws_load_balancer_policy" "proxy_elb_policy" { - count = local.proxy_elb_condition - load_balancer_name = aws_elb.proxy_elb[count.index].name - policy_name = "EnableProxyProtocol" - policy_type_name = "ProxyProtocolPolicyType" - - policy_attribute { - name = "ProxyProtocol" - value = "true" - } -} -resource "aws_security_group" "elb_security_group" { - count = local.proxy_elb_condition - description = "ELB security group" - vpc_id = module.launch_vpc.vpc_id - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - ingress { - protocol = "tcp" - cidr_blocks = [var.proxy_elb_clients] - from_port = var.proxy_elb_port - to_port = var.proxy_elb_port - } -} - -// Scaling metrics -resource "aws_cloudwatch_metric_alarm" "cpu_alarm_low" { - alarm_name = format("%s_alarm_low", aws_autoscaling_group.asg.name) - metric_name = "CPUUtilization" - alarm_description = "Scale-down if CPU < 60% for 10 minutes" - namespace = "AWS/EC2" - statistic = "Average" - period = 300 - evaluation_periods = 2 - threshold = 60 - alarm_actions = [aws_autoscaling_policy.scale_down_policy.arn] - dimensions = { - AutoScalingGroupName = aws_autoscaling_group.asg.name - } - comparison_operator = "LessThanThreshold" -} -resource "aws_autoscaling_policy" "scale_down_policy" { - autoscaling_group_name = aws_autoscaling_group.asg.name - name = format("%s_scale_down", aws_autoscaling_group.asg.name) - adjustment_type = "ChangeInCapacity" - cooldown = 300 - scaling_adjustment = -1 -} -resource "aws_cloudwatch_metric_alarm" "cpu_alarm_high" { - alarm_name = format("%s_alarm_high", aws_autoscaling_group.asg.name) - metric_name = "CPUUtilization" - alarm_description = "Scale-up if CPU > 80% for 10 minutes" - namespace = "AWS/EC2" - statistic = "Average" - period = 300 - evaluation_periods = 2 - threshold = 80 - alarm_actions = [aws_autoscaling_policy.scale_up_policy.arn] - dimensions = { - AutoScalingGroupName = aws_autoscaling_group.asg.name - } - comparison_operator = "GreaterThanThreshold" -} -resource "aws_autoscaling_policy" "scale_up_policy" { - autoscaling_group_name = aws_autoscaling_group.asg.name - name = format("%s_scale_up", aws_autoscaling_group.asg.name) - adjustment_type = "ChangeInCapacity" - cooldown = 300 - scaling_adjustment = 1 + enable_volume_encryption = var.enable_volume_encryption + volume_size = var.volume_size + enable_instance_connect = var.enable_instance_connect + metadata_imdsv2_required = var.metadata_imdsv2_required + instances_tags = var.instances_tags + + // --- Auto Scaling Configuration --- + minimum_group_size = var.minimum_group_size + maximum_group_size = var.maximum_group_size + target_groups = var.target_groups + + // --- Check Point Settings --- + gateway_version = var.gateway_version + gateway_password_hash = var.gateway_password_hash + gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash + gateway_SICKey = var.gateway_SICKey + allow_upload_download = var.allow_upload_download + enable_cloudwatch = var.enable_cloudwatch + gateway_bootstrap_script = var.gateway_bootstrap_script + admin_shell = var.admin_shell + + // --- Management Configuration --- + management_server = var.management_server + configuration_template = var.configuration_template + gateways_provision_address_type = var.gateways_provision_address_type + + // --- Proxy ELB Configuration --- + proxy_elb_type = var.proxy_elb_type + proxy_elb_port = var.proxy_elb_port + proxy_elb_clients = var.proxy_elb_clients + + // --- Security Rules --- + security_rules = var.security_rules } diff --git a/modules/autoscale_master/output.tf b/modules/autoscale_master/output.tf index 152bb74..645fc8e 100644 --- a/modules/autoscale_master/output.tf +++ b/modules/autoscale_master/output.tf @@ -1,43 +1,42 @@ output "Deployment" { value = "Finalizing instances configuration may take up to 20 minutes after deployment is finished." } - output "autoscale_autoscaling_group_name" { - value = aws_autoscaling_group.asg.name + value = module.launch_autoscale_into_vpc.autoscale_autoscaling_group_name } output "autoscale_autoscaling_group_arn" { - value = aws_autoscaling_group.asg.arn + value = module.launch_autoscale_into_vpc.autoscale_autoscaling_group_arn } output "autoscale_autoscaling_group_availability_zones" { - value = aws_autoscaling_group.asg.availability_zones + value = module.launch_autoscale_into_vpc.autoscale_autoscaling_group_availability_zones } output "autoscale_autoscaling_group_desired_capacity" { - value = aws_autoscaling_group.asg.desired_capacity + value = module.launch_autoscale_into_vpc.autoscale_autoscaling_group_desired_capacity } output "autoscale_autoscaling_group_min_size" { - value = aws_autoscaling_group.asg.min_size + value = module.launch_autoscale_into_vpc.autoscale_autoscaling_group_min_size } output "autoscale_autoscaling_group_max_size" { - value = aws_autoscaling_group.asg.max_size + value = module.launch_autoscale_into_vpc.autoscale_autoscaling_group_max_size } output "autoscale_autoscaling_group_load_balancers" { - value = aws_autoscaling_group.asg.load_balancers + value = module.launch_autoscale_into_vpc.autoscale_autoscaling_group_load_balancers } output "autoscale_autoscaling_group_target_group_arns" { - value = aws_autoscaling_group.asg.target_group_arns + value = module.launch_autoscale_into_vpc.autoscale_autoscaling_group_target_group_arns } output "autoscale_autoscaling_group_subnets" { - value = aws_autoscaling_group.asg.vpc_zone_identifier + value = module.launch_autoscale_into_vpc.autoscale_autoscaling_group_subnets } output "autoscale_launch_template_id" { - value = aws_launch_template.asg_launch_template.id + value = module.launch_autoscale_into_vpc.autoscale_launch_template_id } output "autoscale_security_group_id" { - value = aws_security_group.permissive_sg.id + value = module.launch_autoscale_into_vpc.autoscale_security_group_id } output "autoscale_iam_role_name" { - value = aws_iam_role.role.*.name + value = module.launch_autoscale_into_vpc.autoscale_iam_role_name } diff --git a/modules/autoscale_master/versions.tf b/modules/autoscale_master/versions.tf index dbebf27..a55aa61 100644 --- a/modules/autoscale_master/versions.tf +++ b/modules/autoscale_master/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 5.20.0" + version = "~> 5.100.0" } http = { version = "~> 3.4.0" diff --git a/modules/management_master/main.tf b/modules/management_master/main.tf index 7a85fe5..d797b19 100644 --- a/modules/management_master/main.tf +++ b/modules/management_master/main.tf @@ -1,4 +1,3 @@ -// --- VPC --- module "launch_vpc" { source = "../vpc" @@ -10,236 +9,48 @@ module "launch_vpc" { subnets_bit_length = var.subnets_bit_length } -module "amis" { - source = "../amis" - version_license = var.management_version - chkp_type = "management" -} - -resource "aws_security_group" "management_sg" { - description = "terraform Management security group" - vpc_id = module.launch_vpc.vpc_id - name_prefix = format("%s_SecurityGroup", var.management_name) - // Group name - tags = { - Name = format("%s_SecurityGroup", var.management_name) - // Resource name - } - ingress { - from_port = 257 - to_port = 257 - protocol = "tcp" - cidr_blocks = [var.gateway_addresses] - } - ingress { - from_port = 18191 - to_port = 18191 - protocol = "tcp" - cidr_blocks = [var.gateway_addresses] - } - ingress { - from_port = 18192 - to_port = 18192 - protocol = "tcp" - cidr_blocks = [var.gateway_addresses] - } - ingress { - from_port = 18208 - to_port = 18208 - protocol = "tcp" - cidr_blocks = [var.gateway_addresses] - } - ingress { - from_port = 18210 - to_port = 18210 - protocol = "tcp" - cidr_blocks = [var.gateway_addresses] - } - ingress { - from_port = 18211 - to_port = 18211 - protocol = "tcp" - cidr_blocks = [var.gateway_addresses] - } - ingress { - from_port = 18221 - to_port = 18221 - protocol = "tcp" - cidr_blocks = [var.gateway_addresses] - } - ingress { - from_port = 18264 - to_port = 18264 - protocol = "tcp" - cidr_blocks = [var.gateway_addresses] - } - - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = [var.admin_cidr] - } - ingress { - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = [var.admin_cidr] - } - ingress { - from_port = 18190 - to_port = 18190 - protocol = "tcp" - cidr_blocks = [var.admin_cidr] - } +module "launch_management_into_vpc" { + source = "../management" - ingress { - from_port = 19009 - to_port = 19009 - protocol = "tcp" - cidr_blocks = [var.admin_cidr] - } - - dynamic "ingress" { - for_each = [for rule in var.security_rules : rule if rule.direction == "ingress"] - content { - from_port = ingress.value.from_port - to_port = ingress.value.to_port - protocol = ingress.value.protocol - cidr_blocks = ingress.value.cidr_blocks - } - } - - dynamic "egress" { - for_each = [for rule in var.security_rules : rule if rule.direction == "egress"] - content { - from_port = egress.value.from_port - to_port = egress.value.to_port - protocol = egress.value.protocol - cidr_blocks = egress.value.cidr_blocks - } - } - - dynamic egress { - for_each = length([for rule in var.security_rules : rule if rule.direction == "egress"]) == 0 ? [1] : [] - content{ - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - } -} - -resource "aws_network_interface" "external-eni" { + vpc_id = module.launch_vpc.vpc_id subnet_id = module.launch_vpc.public_subnets_ids_list[0] - security_groups = [aws_security_group.management_sg.id] - description = "eth0" - source_dest_check = true - tags = { - Name = format("%s-network_interface", var.management_name) - } -} - -resource "aws_eip" "eip" { - count = var.allocate_and_associate_eip ? 1 : 0 - network_interface = aws_network_interface.external-eni.id -} - -resource "aws_iam_instance_profile" "management_instance_profile" { - count = local.pre_role - path = "/" - role = var.predefined_role -} - -resource "aws_launch_template" "management_launch_template" { - depends_on = [ - aws_network_interface.external-eni, - aws_eip.eip - ] - - instance_type = var.management_instance_type + + // --- EC2 Instance Configuration --- + management_name = var.management_name + management_instance_type = var.management_instance_type key_name = var.key_name - image_id = module.amis.ami_id - description = "Initial launch template version" - - iam_instance_profile { - name = local.use_role == 1 ? (local.pre_role == 1 ? aws_iam_instance_profile.management_instance_profile[0].id : join("", (var.is_gwlb_iam == true ? module.cme_iam_role_gwlb.*.cme_iam_profile_name : module.cme_iam_role.*.cme_iam_profile_name))): "" - } - - metadata_options { - http_tokens = var.metadata_imdsv2_required ? "required" : "optional" - } - - network_interfaces { - network_interface_id = aws_network_interface.external-eni.id - device_index = 0 - } -} - -resource "aws_instance" "management-instance" { - depends_on = [ - aws_launch_template.management_launch_template - ] - - launch_template { - id = aws_launch_template.management_launch_template.id - version = "$Latest" - } - - disable_api_termination = var.disable_instance_termination - - tags = merge({ - Name = var.management_name - }, var.instance_tags) - - ebs_block_device { - device_name = "/dev/xvda" - volume_type = var.volume_type - volume_size = var.volume_size - encrypted = local.volume_encryption_condition - kms_key_id = local.volume_encryption_condition ? var.volume_encryption : "" - } - - lifecycle { - ignore_changes = [ebs_block_device,] - } - - user_data = templatefile("${path.module}/management_userdata.yaml", { - // script's arguments - Hostname = var.management_hostname, - PasswordHash = local.management_password_hash_base64, - MaintenanceModePassword = local.maintenance_mode_password_hash_base64, - AllowUploadDownload = var.allow_upload_download, - NTPPrimary = var.primary_ntp - NTPSecondary = var.secondary_ntp - Shell = var.admin_shell, - AdminSubnet = var.admin_cidr - ManagementInstallationType = var.management_installation_type - SICKey = local.management_SICkey_base64, - OsVersion = local.version_split - EnableInstanceConnect = var.enable_instance_connect - AllocateElasticIP = var.allocate_and_associate_eip - GatewayManagement = var.gateway_management - BootstrapScript = local.management_bootstrap_script64 - PubMgmt = local.pub_mgmt - - }) -} - -module "cme_iam_role" { - source = "../cme_iam_role" - count = local.new_instance_profile_general - - sts_roles = var.sts_roles - permissions = var.iam_permissions -} - -module "cme_iam_role_gwlb" { - source = "../cme_iam_role_gwlb" - count = local.new_instance_profile_gwlb - + allocate_and_associate_eip = var.allocate_and_associate_eip + volume_size = var.volume_size + volume_encryption = var.volume_encryption + enable_instance_connect = var.enable_instance_connect + disable_instance_termination = var.disable_instance_termination + metadata_imdsv2_required = var.metadata_imdsv2_required + instance_tags = var.instance_tags + + // --- IAM Permissions --- + iam_permissions = var.iam_permissions + predefined_role = var.predefined_role sts_roles = var.sts_roles - permissions = var.iam_permissions + + // --- Check Point Settings --- + management_version = var.management_version + admin_shell = var.admin_shell + management_password_hash = var.management_password_hash + management_maintenance_mode_password_hash = var.management_maintenance_mode_password_hash + + // --- Security Management Server Settings --- + management_hostname = var.management_hostname + management_installation_type = var.management_installation_type + SICKey = var.SICKey + allow_upload_download = var.allow_upload_download + gateway_management = var.gateway_management + admin_cidr = var.admin_cidr + gateway_addresses = var.gateway_addresses + primary_ntp = var.primary_ntp + secondary_ntp = var.secondary_ntp + management_bootstrap_script = var.management_bootstrap_script + volume_type = var.volume_type + is_gwlb_iam = var.is_gwlb_iam + security_rules = var.security_rules } diff --git a/modules/management_master/output.tf b/modules/management_master/output.tf index da20727..96c3e6a 100644 --- a/modules/management_master/output.tf +++ b/modules/management_master/output.tf @@ -3,17 +3,17 @@ output "Deployment" { } output "management_instance_id" { - value = aws_instance.management-instance.id + value = module.launch_management_into_vpc.management_instance_id } output "management_instance_name" { - value = aws_instance.management-instance.tags["Name"] + value = module.launch_management_into_vpc.management_instance_name } output "management_instance_tags" { - value = aws_instance.management-instance.tags + value = module.launch_management_into_vpc.management_instance_tags } output "management_public_ip" { - value = aws_instance.management-instance.public_ip + value = module.launch_management_into_vpc.management_public_ip } output "management_url" { - value = format("https://%s", aws_instance.management-instance.public_ip) + value = module.launch_management_into_vpc.management_url } \ No newline at end of file diff --git a/modules/management_master/versions.tf b/modules/management_master/versions.tf index c138bbb..2d2270f 100644 --- a/modules/management_master/versions.tf +++ b/modules/management_master/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 5.20.0" + version = "~> 5.100.0" } http = { version = "~> 3.4.0" diff --git a/modules/mds_master/main.tf b/modules/mds_master/main.tf index 2e18fe9..98022ca 100644 --- a/modules/mds_master/main.tf +++ b/modules/mds_master/main.tf @@ -1,4 +1,3 @@ -// --- VPC --- module "launch_vpc" { source = "../vpc" @@ -10,211 +9,45 @@ module "launch_vpc" { subnets_bit_length = var.subnets_bit_length } -module "amis" { - source = "../amis" +module "launch_mds_into_vpc" { + source = "../mds" - version_license = var.mds_version - chkp_type = "mds" -} - -resource "aws_security_group" "mds_sg" { - description = "terraform Multi-Domain Server security group" vpc_id = module.launch_vpc.vpc_id - name_prefix = format("%s_SecurityGroup", var.mds_name) - // Group name - tags = { - Name = format("%s_SecurityGroup", var.mds_name) - // Resource name - } - ingress { - from_port = 257 - to_port = 257 - protocol = "tcp" - cidr_blocks = [var.gateway_addresses] - } - ingress { - from_port = 8211 - to_port = 8211 - protocol = "tcp" - cidr_blocks = [var.gateway_addresses] - } - ingress { - from_port = 18191 - to_port = 18191 - protocol = "tcp" - cidr_blocks = [var.gateway_addresses] - } - ingress { - from_port = 18192 - to_port = 18192 - protocol = "tcp" - cidr_blocks = [var.gateway_addresses] - } - ingress { - from_port = 18208 - to_port = 18208 - protocol = "tcp" - cidr_blocks = [var.gateway_addresses] - } - ingress { - from_port = 18210 - to_port = 18210 - protocol = "tcp" - cidr_blocks = [var.gateway_addresses] - } - ingress { - from_port = 18211 - to_port = 18211 - protocol = "tcp" - cidr_blocks = [var.gateway_addresses] - } - ingress { - from_port = 18221 - to_port = 18221 - protocol = "tcp" - cidr_blocks = [var.gateway_addresses] - } - ingress { - from_port = 18264 - to_port = 18264 - protocol = "tcp" - cidr_blocks = [var.gateway_addresses] - } - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = [var.admin_cidr] - } - ingress { - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = [var.admin_cidr] - } - ingress { - from_port = 18190 - to_port = 18190 - protocol = "tcp" - cidr_blocks = [var.admin_cidr] - } - ingress { - from_port = 19009 - to_port = 19009 - protocol = "tcp" - cidr_blocks = [var.admin_cidr] - } - - dynamic "ingress" { - for_each = [for rule in var.security_rules : rule if rule.direction == "ingress"] - content { - from_port = ingress.value.from_port - to_port = ingress.value.to_port - protocol = ingress.value.protocol - cidr_blocks = ingress.value.cidr_blocks - } - } - - dynamic "egress" { - for_each = [for rule in var.security_rules : rule if rule.direction == "egress"] - content { - from_port = egress.value.from_port - to_port = egress.value.to_port - protocol = egress.value.protocol - cidr_blocks = egress.value.cidr_blocks - } - } - - dynamic egress { - for_each = length([for rule in var.security_rules : rule if rule.direction == "egress"]) == 0 ? [1] : [] - content{ - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - } -} - -resource "aws_iam_instance_profile" "mds_instance_profile" { - count = local.use_role - path = "/" - role = local.create_iam_role ? join("", module.cme_iam_role.*.cme_iam_role_name) : var.predefined_role -} - -resource "aws_network_interface" "external-eni" { subnet_id = module.launch_vpc.public_subnets_ids_list[0] - security_groups = [aws_security_group.mds_sg.id] - description = "eth0" - source_dest_check = true - tags = { - Name = format("%s-network_interface", var.mds_name) - } -} -resource "aws_launch_template" "mds_launch_template" { - instance_type = var.mds_instance_type + // --- EC2 Instance Configuration --- + mds_name = var.mds_name + mds_instance_type = var.mds_instance_type key_name = var.key_name - image_id = module.amis.ami_id - description = "Initial launch template version" - - iam_instance_profile { - name = local.use_role == 1 ? aws_iam_instance_profile.mds_instance_profile[0].id : "" - } - - metadata_options { - http_tokens = var.metadata_imdsv2_required ? "required" : "optional" - } - - network_interfaces { - network_interface_id = aws_network_interface.external-eni.id - device_index = 0 - } -} - -resource "aws_instance" "mds-instance" { - launch_template { - id = aws_launch_template.mds_launch_template.id - version = "$Latest" - } - - disable_api_termination = var.disable_instance_termination - - tags = merge({ - Name = var.mds_name - }, var.instance_tags) - - ebs_block_device { - device_name = "/dev/xvda" - volume_type = "gp2" - volume_size = var.volume_size - encrypted = local.volume_encryption_condition - kms_key_id = local.volume_encryption_condition ? var.volume_encryption : "" - } - - user_data = templatefile("${path.module}/mds_userdata.yaml", { - // script's arguments - Hostname = var.mds_hostname, - PasswordHash = local.mds_password_hash_base64 - MaintenanceModePassword = local.maintenance_mode_password_hash_base64 - AllowUploadDownload = var.allow_upload_download, - NTPPrimary = var.primary_ntp - NTPSecondary = var.secondary_ntp - Shell = var.mds_admin_shell, - AdminSubnet = var.admin_cidr - IsPrimary = local.primary_mds - IsSecondary = local.secondary_mds - SICKey = local.mds_SICkey_base64, - EnableInstanceConnect = var.enable_instance_connect - BootstrapScript = local.mds_bootstrap_script64 - OsVersion = local.version_split - }) -} - -module "cme_iam_role" { - source = "../cme_iam_role" - count = local.create_iam_role ? 1 : 0 - + volume_size = var.volume_size + volume_encryption = var.volume_encryption + enable_instance_connect = var.enable_instance_connect + disable_instance_termination = var.disable_instance_termination + metadata_imdsv2_required = var.metadata_imdsv2_required + instance_tags = var.instance_tags + + // --- IAM Permissions --- + iam_permissions = var.iam_permissions + predefined_role = var.predefined_role sts_roles = var.sts_roles - permissions = var.iam_permissions + + // --- Check Point Settings --- + mds_version = var.mds_version + mds_admin_shell = var.mds_admin_shell + mds_password_hash = var.mds_password_hash + mds_maintenance_mode_password_hash = var.mds_maintenance_mode_password_hash + + // --- Multi-Domain Server Settings --- + mds_hostname = var.mds_hostname + mds_installation_type = var.mds_installation_type + mds_SICKey = var.mds_SICKey + allow_upload_download = var.allow_upload_download + admin_cidr = var.admin_cidr + gateway_addresses = var.gateway_addresses + primary_ntp = var.primary_ntp + secondary_ntp = var.secondary_ntp + mds_bootstrap_script = var.mds_bootstrap_script + + // --- Security Rules --- + security_rules = var.security_rules } diff --git a/modules/mds_master/output.tf b/modules/mds_master/output.tf index c1d3783..cdff879 100644 --- a/modules/mds_master/output.tf +++ b/modules/mds_master/output.tf @@ -2,12 +2,21 @@ output "Deployment" { value = "Finalizing configuration may take up to 20 minutes after deployment is finished." } +output "vpc_id" { + value = module.launch_vpc.vpc_id +} +output "vpc_public_subnets_ids_list" { + value = module.launch_vpc.public_subnets_ids_list +} +output "vpc_private_subnets_ids_list" { + value = module.launch_vpc.private_subnets_ids_list +} output "mds_instance_id" { - value = aws_instance.mds-instance.id + value = module.launch_mds_into_vpc.mds_instance_id } output "mds_instance_name" { - value = aws_instance.mds-instance.tags["Name"] + value = module.launch_mds_into_vpc.mds_instance_name } output "mds_instance_tags" { - value = aws_instance.mds-instance.tags + value = module.launch_mds_into_vpc.mds_instance_tags } \ No newline at end of file diff --git a/modules/mds_master/versions.tf b/modules/mds_master/versions.tf index c138bbb..2d2270f 100644 --- a/modules/mds_master/versions.tf +++ b/modules/mds_master/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 5.20.0" + version = "~> 5.100.0" } http = { version = "~> 3.4.0"