Skip to content

feat(VSECPC-10307): Master modules utilize nested modules #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 28, 2025
Merged

feat(VSECPC-10307): Master modules utilize nested modules #20

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
306 changes: 41 additions & 265 deletions modules/autoscale_master/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,273 +7,49 @@ module "launch_vpc" {
subnets_bit_length = var.subnets_bit_length
}

module "amis" {
source = "../amis"
module "launch_autoscale_into_vpc" {
source = "../autoscale"

version_license = var.gateway_version
}

resource "aws_security_group" "permissive_sg" {
name_prefix = format("%s_PermissiveSecurityGroup", local.asg_name)
description = "Permissive security group"
vpc_id = module.launch_vpc.vpc_id

dynamic "ingress" {
for_each = [for rule in var.security_rules : rule if rule.direction == "ingress"]
content {
from_port = ingress.value.from_port
to_port = ingress.value.to_port
protocol = ingress.value.protocol
cidr_blocks = ingress.value.cidr_blocks
}
}

dynamic ingress {
for_each = length([for rule in var.security_rules : rule if rule.direction == "ingress"]) == 0 ? [1] : []
content{
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
subnet_ids = module.launch_vpc.public_subnets_ids_list

dynamic "egress" {
for_each = [for rule in var.security_rules : rule if rule.direction == "egress"]
content {
from_port = egress.value.from_port
to_port = egress.value.to_port
protocol = egress.value.protocol
cidr_blocks = egress.value.cidr_blocks
}
}

dynamic egress {
for_each = length([for rule in var.security_rules : rule if rule.direction == "egress"]) == 0 ? [1] : []
content{
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
tags = {
Name = format("%s_PermissiveSecurityGroup", local.asg_name)
}
}

resource "aws_launch_template" "asg_launch_template" {
name_prefix = local.asg_name
image_id = module.amis.ami_id
instance_type = var.gateway_instance_type
// --- General Settings ---
prefix = var.prefix
asg_name = var.asg_name
gateway_name = var.gateway_name
gateway_instance_type = var.gateway_instance_type
key_name = var.key_name
network_interfaces {
associate_public_ip_address = true
security_groups = [aws_security_group.permissive_sg.id]
}

metadata_options {
http_tokens = var.metadata_imdsv2_required ? "required" : "optional"
}

iam_instance_profile {
name = ( var.enable_cloudwatch ? aws_iam_instance_profile.instance_profile[0].name : "")
}
monitoring {
enabled = true
}

block_device_mappings {
device_name = "/dev/xvda"
ebs {
volume_type = "gp3"
volume_size = var.volume_size
encrypted = var.enable_volume_encryption
}
}
description = "Initial template version"


user_data = base64encode(templatefile("${path.module}/asg_userdata.yaml", {
// script's arguments
PasswordHash = local.gateway_password_hash_base64,
MaintenanceModePassword = local.maintenance_mode_password_hash_base64
EnableCloudWatch = var.enable_cloudwatch,
EnableInstanceConnect = var.enable_instance_connect,
Shell = var.admin_shell,
SICKey = local.gateway_SICkey_base64,
AllowUploadDownload = var.allow_upload_download,
BootstrapScript = local.gateway_bootstrap_script64,
OsVersion = local.version_split
}))
}
resource "aws_autoscaling_group" "asg" {
name_prefix = local.asg_name
launch_template {
id = aws_launch_template.asg_launch_template.id
version = aws_launch_template.asg_launch_template.latest_version
}
min_size = var.minimum_group_size
max_size = var.maximum_group_size
load_balancers = aws_elb.proxy_elb.*.name
target_group_arns = var.target_groups
vpc_zone_identifier = module.launch_vpc.public_subnets_ids_list
health_check_grace_period = 3600
health_check_type = "ELB"

tag {
key = "Name"
value = format("%s%s", var.prefix != "" ? format("%s-", var.prefix) : "", var.gateway_name)
propagate_at_launch = true
}

tag {
key = "x-chkp-tags"
value = format("management=%s:template=%s:ip-address=%s", var.management_server, var.configuration_template, var.gateways_provision_address_type)
propagate_at_launch = true
}

dynamic "tag" {
for_each = var.instances_tags
content {
key = tag.key
value = tag.value
propagate_at_launch = true
}
}
}

data "aws_iam_policy_document" "assume_role_policy_document" {
version = "2012-10-17"
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
effect = "Allow"
}
}

resource "aws_iam_role" "role" {
count = local.create_iam_role
name_prefix = format("%s-iam_role", local.asg_name)
assume_role_policy = data.aws_iam_policy_document.assume_role_policy_document.json
path = "/"
}
module "attach_cloudwatch_policy" {
source = "../cloudwatch_policy"
count = local.create_iam_role
role = aws_iam_role.role[count.index].name
tag_name = local.asg_name
}

resource "aws_iam_instance_profile" "instance_profile" {
count = local.create_iam_role
name_prefix = format("%s-iam_instance_profile", local.asg_name)
path = "/"
role = aws_iam_role.role[count.index].name
}

// Proxy ELB
locals {
proxy_elb_condition = var.proxy_elb_type != "none" ? 1 : 0
}
resource "random_id" "proxy_elb_uuid" {
byte_length = 5
}
resource "aws_elb" "proxy_elb" {
count = local.proxy_elb_condition
name = format("%s-proxy-elb-%s", var.prefix, random_id.proxy_elb_uuid.hex)
internal = var.proxy_elb_type == "internal"
cross_zone_load_balancing = true
listener {
instance_port = var.proxy_elb_port
instance_protocol = "TCP"
lb_port = var.proxy_elb_port
lb_protocol = "TCP"
}
health_check {
target = format("TCP:%s", var.proxy_elb_port)
healthy_threshold = 3
unhealthy_threshold = 5
interval = 30
timeout = 5
}
subnets = module.launch_vpc.public_subnets_ids_list
security_groups = [aws_security_group.elb_security_group[count.index].id]
}
resource "aws_load_balancer_policy" "proxy_elb_policy" {
count = local.proxy_elb_condition
load_balancer_name = aws_elb.proxy_elb[count.index].name
policy_name = "EnableProxyProtocol"
policy_type_name = "ProxyProtocolPolicyType"

policy_attribute {
name = "ProxyProtocol"
value = "true"
}
}
resource "aws_security_group" "elb_security_group" {
count = local.proxy_elb_condition
description = "ELB security group"
vpc_id = module.launch_vpc.vpc_id
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
protocol = "tcp"
cidr_blocks = [var.proxy_elb_clients]
from_port = var.proxy_elb_port
to_port = var.proxy_elb_port
}
}

// Scaling metrics
resource "aws_cloudwatch_metric_alarm" "cpu_alarm_low" {
alarm_name = format("%s_alarm_low", aws_autoscaling_group.asg.name)
metric_name = "CPUUtilization"
alarm_description = "Scale-down if CPU < 60% for 10 minutes"
namespace = "AWS/EC2"
statistic = "Average"
period = 300
evaluation_periods = 2
threshold = 60
alarm_actions = [aws_autoscaling_policy.scale_down_policy.arn]
dimensions = {
AutoScalingGroupName = aws_autoscaling_group.asg.name
}
comparison_operator = "LessThanThreshold"
}
resource "aws_autoscaling_policy" "scale_down_policy" {
autoscaling_group_name = aws_autoscaling_group.asg.name
name = format("%s_scale_down", aws_autoscaling_group.asg.name)
adjustment_type = "ChangeInCapacity"
cooldown = 300
scaling_adjustment = -1
}
resource "aws_cloudwatch_metric_alarm" "cpu_alarm_high" {
alarm_name = format("%s_alarm_high", aws_autoscaling_group.asg.name)
metric_name = "CPUUtilization"
alarm_description = "Scale-up if CPU > 80% for 10 minutes"
namespace = "AWS/EC2"
statistic = "Average"
period = 300
evaluation_periods = 2
threshold = 80
alarm_actions = [aws_autoscaling_policy.scale_up_policy.arn]
dimensions = {
AutoScalingGroupName = aws_autoscaling_group.asg.name
}
comparison_operator = "GreaterThanThreshold"
}
resource "aws_autoscaling_policy" "scale_up_policy" {
autoscaling_group_name = aws_autoscaling_group.asg.name
name = format("%s_scale_up", aws_autoscaling_group.asg.name)
adjustment_type = "ChangeInCapacity"
cooldown = 300
scaling_adjustment = 1
enable_volume_encryption = var.enable_volume_encryption
volume_size = var.volume_size
enable_instance_connect = var.enable_instance_connect
metadata_imdsv2_required = var.metadata_imdsv2_required
instances_tags = var.instances_tags

// --- Auto Scaling Configuration ---
minimum_group_size = var.minimum_group_size
maximum_group_size = var.maximum_group_size
target_groups = var.target_groups

// --- Check Point Settings ---
gateway_version = var.gateway_version
gateway_password_hash = var.gateway_password_hash
gateway_maintenance_mode_password_hash = var.gateway_maintenance_mode_password_hash
gateway_SICKey = var.gateway_SICKey
allow_upload_download = var.allow_upload_download
enable_cloudwatch = var.enable_cloudwatch
gateway_bootstrap_script = var.gateway_bootstrap_script
admin_shell = var.admin_shell

// --- Management Configuration ---
management_server = var.management_server
configuration_template = var.configuration_template
gateways_provision_address_type = var.gateways_provision_address_type

// --- Proxy ELB Configuration ---
proxy_elb_type = var.proxy_elb_type
proxy_elb_port = var.proxy_elb_port
proxy_elb_clients = var.proxy_elb_clients

// --- Security Rules ---
security_rules = var.security_rules
}
25 changes: 12 additions & 13 deletions modules/autoscale_master/output.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,43 +1,42 @@
output "Deployment" {
value = "Finalizing instances configuration may take up to 20 minutes after deployment is finished."
}

output "autoscale_autoscaling_group_name" {
value = aws_autoscaling_group.asg.name
value = module.launch_autoscale_into_vpc.autoscale_autoscaling_group_name
}
output "autoscale_autoscaling_group_arn" {
value = aws_autoscaling_group.asg.arn
value = module.launch_autoscale_into_vpc.autoscale_autoscaling_group_arn
}
output "autoscale_autoscaling_group_availability_zones" {
value = aws_autoscaling_group.asg.availability_zones
value = module.launch_autoscale_into_vpc.autoscale_autoscaling_group_availability_zones
}
output "autoscale_autoscaling_group_desired_capacity" {
value = aws_autoscaling_group.asg.desired_capacity
value = module.launch_autoscale_into_vpc.autoscale_autoscaling_group_desired_capacity
}
output "autoscale_autoscaling_group_min_size" {
value = aws_autoscaling_group.asg.min_size
value = module.launch_autoscale_into_vpc.autoscale_autoscaling_group_min_size
}
output "autoscale_autoscaling_group_max_size" {
value = aws_autoscaling_group.asg.max_size
value = module.launch_autoscale_into_vpc.autoscale_autoscaling_group_max_size
}
output "autoscale_autoscaling_group_load_balancers" {
value = aws_autoscaling_group.asg.load_balancers
value = module.launch_autoscale_into_vpc.autoscale_autoscaling_group_load_balancers
}
output "autoscale_autoscaling_group_target_group_arns" {
value = aws_autoscaling_group.asg.target_group_arns
value = module.launch_autoscale_into_vpc.autoscale_autoscaling_group_target_group_arns
}
output "autoscale_autoscaling_group_subnets" {
value = aws_autoscaling_group.asg.vpc_zone_identifier
value = module.launch_autoscale_into_vpc.autoscale_autoscaling_group_subnets
}
output "autoscale_launch_template_id" {
value = aws_launch_template.asg_launch_template.id
value = module.launch_autoscale_into_vpc.autoscale_launch_template_id
}

output "autoscale_security_group_id" {
value = aws_security_group.permissive_sg.id
value = module.launch_autoscale_into_vpc.autoscale_security_group_id
}

output "autoscale_iam_role_name" {
value = aws_iam_role.role.*.name
value = module.launch_autoscale_into_vpc.autoscale_iam_role_name
}

2 changes: 1 addition & 1 deletion modules/autoscale_master/versions.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.20.0"
version = "~> 5.100.0"
}
http = {
version = "~> 3.4.0"
Expand Down
Loading
Loading