diff --git a/modules/autoscale_gwlb/README.md b/modules/autoscale_gwlb/README.md
index 97b8b67..0e84e96 100755
--- a/modules/autoscale_gwlb/README.md
+++ b/modules/autoscale_gwlb/README.md
@@ -66,10 +66,10 @@ module "example_module" {
allow_upload_download = true
enable_cloudwatch = false
gateway_bootstrap_script = "echo 'this is bootstrap script' > /home/admin/bootstrap.txt"
+ enable_ipv6 = false
}
```
-
## Inputs
| Name | Description | Type | Allowed Values |
@@ -103,7 +103,7 @@ module "example_module" {
| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2
**Default:** gp3 |
| gateway_maintenance_mode_password_hash | (Optional) Maintenance-mode password for recovery purposes. | string | |
security_rules | List of security rules for ingress and egress. | list(object({
direction = string
from_port = any
to_port = any
protocol = any
cidr_blocks = list(any)
})) | **Default:** []|
-
+| enable_ipv6 | Enables dual-stack networking (IPv4 and IPv6) for the GWLB, [Please see version compatibility in the following guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_AWS_Gateway_Load_Balancer_ASG/Content/Topics-AWS-GWLB-ASG-DG/IPv6-Support.htm) | bool | true/false
**Default:** false
## Outputs
@@ -115,6 +115,7 @@ output "instance_public_ip" {
```
| Name | Description |
|------------------------------------------------|-------------------------------------------------------------------|
+| 20250508 |Added support for IPv6 traffic settings | |
| autoscale_autoscaling_group_name | The name of the deployed AutoScaling Group |
| autoscale_autoscaling_group_arn | The ARN for the deployed AutoScaling Group |
| autoscale_autoscaling_group_availability_zones | The AZs on which the Autoscaling Group is configured |
diff --git a/modules/autoscale_gwlb/asg_userdata_ipv6.yaml b/modules/autoscale_gwlb/asg_userdata_ipv6.yaml
new file mode 100644
index 0000000..e42149c
--- /dev/null
+++ b/modules/autoscale_gwlb/asg_userdata_ipv6.yaml
@@ -0,0 +1,33 @@
+#cloud-config
+network:
+ version: 1
+ config:
+ - type: bridge
+ name: br0
+ mtu: *eth0-mtu
+ subnets:
+ - address: *eth0-private
+ type: static
+ gateway: *default-gateway
+ dns_nameservers:
+ - *eth0-dns1
+ bridge_interfaces:
+ - eth0
+kernel_parameters:
+ sim:
+ - sim_geneve_enabled=1
+ - sim_geneve_br_dev=br0
+ fw:
+
+ - fwtls_bridge_mode_inspection=1
+ - fw_geneve_enabled=1
+bootcmd:
+ - echo "brctl hairpin br0 eth0 on" >> /etc/rc.local
+ - echo "cpprod_util CPPROD_SetValue \"fw1\" \"AwsGwlb\" 4 1 1" >> /etc/rc.local
+ - cp /etc/basedb /etc/basedb.bak
+ - grep -vx "ipv6 t" /etc/basedb.bak | grep -vx "ipv6 f" > /etc/basedb;
+ - echo "ipv6 t" >> /etc/basedb
+ - /etc/rc3.d/S07ipv6gen
+runcmd:
+ - |
+ python3 /etc/cloud_config.py enableCloudWatch=\"${EnableCloudWatch}\" sicKey=\"${SICKey}\" installationType=\"autoscale\" osVersion=\"${OsVersion}\" allowUploadDownload=\"${AllowUploadDownload}\" templateVersion=\"20231012\" templateName=\"autoscale_gwlb\" templateType=\"terraform\" shell=\"${Shell}\" enableInstanceConnect=\"${EnableInstanceConnect}\" passwordHash=\"${PasswordHash}\" MaintenanceModePassword=\"${MaintenanceModePassword}\" bootstrapScript64=\"${BootstrapScript}\"
\ No newline at end of file
diff --git a/modules/autoscale_gwlb/main.tf b/modules/autoscale_gwlb/main.tf
index c657fdb..97ebdd2 100755
--- a/modules/autoscale_gwlb/main.tf
+++ b/modules/autoscale_gwlb/main.tf
@@ -10,49 +10,43 @@ resource "aws_security_group" "permissive_sg" {
name_prefix = format("%s_PermissiveSecurityGroup", local.asg_name)
description = "Permissive security group"
vpc_id = var.vpc_id
-
- dynamic "ingress" {
- for_each = [for rule in var.security_rules : rule if rule.direction == "ingress"]
- content {
- from_port = ingress.value.from_port
- to_port = ingress.value.to_port
- protocol = ingress.value.protocol
- cidr_blocks = ingress.value.cidr_blocks
+ tags = {
+ Name = format("%s_PermissiveSecurityGroup", local.asg_name)
}
}
- dynamic ingress {
- for_each = length([for rule in var.security_rules : rule if rule.direction == "ingress"]) == 0 ? [1] : []
- content{
+resource "aws_vpc_security_group_ingress_rule" "ingress_rule_ipv4" {
+ security_group_id = aws_security_group.permissive_sg.id
+ cidr_ipv4 = "0.0.0.0/0"
from_port = 0
+ ip_protocol = "-1"
to_port = 0
- protocol = "-1"
- cidr_blocks = ["0.0.0.0/0"]
}
- }
- dynamic "egress" {
- for_each = [for rule in var.security_rules : rule if rule.direction == "egress"]
- content {
- from_port = egress.value.from_port
- to_port = egress.value.to_port
- protocol = egress.value.protocol
- cidr_blocks = egress.value.cidr_blocks
- }
+resource "aws_vpc_security_group_egress_rule" "egress_rule_ipv4" {
+ security_group_id = aws_security_group.permissive_sg.id
+ cidr_ipv4 = "0.0.0.0/0"
+ from_port = 0
+ ip_protocol = "-1"
+ to_port = 0
+ }
+
+resource "aws_vpc_security_group_ingress_rule" "ingress_rule_ipv6" {
+ count = var.enable_ipv6 ? 1 : 0
+ security_group_id = aws_security_group.permissive_sg.id
+ cidr_ipv6 = "::/0"
+ from_port = 0
+ ip_protocol = "-1"
+ to_port = 0
}
- dynamic egress {
- for_each = length([for rule in var.security_rules : rule if rule.direction == "egress"]) == 0 ? [1] : []
- content{
+resource "aws_vpc_security_group_egress_rule" "egress_rule_ipv6" {
+ count = var.enable_ipv6 ? 1 : 0
+ security_group_id = aws_security_group.permissive_sg.id
+ cidr_ipv6 = "::/0"
from_port = 0
+ ip_protocol = "-1"
to_port = 0
- protocol = "-1"
- cidr_blocks = ["0.0.0.0/0"]
- }
- }
- tags = {
- Name = format("%s_PermissiveSecurityGroup", local.asg_name)
- }
}
resource "aws_launch_template" "asg_launch_template" {
@@ -87,7 +81,7 @@ resource "aws_launch_template" "asg_launch_template" {
description = "Initial template version"
- user_data = base64encode(templatefile("${path.module}/asg_userdata.yaml", {
+ user_data = base64encode(templatefile("${path.module}/${var.enable_ipv6 ? "asg_userdata_ipv6.yaml" : "asg_userdata.yaml"}", {
// script's arguments
PasswordHash = local.gateway_password_hash_base64,
MaintenanceModePassword = local.maintenance_mode_password_hash_base64,
@@ -98,6 +92,7 @@ resource "aws_launch_template" "asg_launch_template" {
AllowUploadDownload = var.allow_upload_download,
BootstrapScript = local.gateway_bootstrap_script64,
OsVersion = local.version_split
+ enable_ipv6 = var.enable_ipv6
}))
}
resource "aws_autoscaling_group" "asg" {
diff --git a/modules/autoscale_gwlb/output.tf b/modules/autoscale_gwlb/output.tf
index ce5f76c..95e2d8b 100755
--- a/modules/autoscale_gwlb/output.tf
+++ b/modules/autoscale_gwlb/output.tf
@@ -39,3 +39,6 @@ output "autoscale_iam_role_name" {
value = aws_iam_role.role.*.name
}
+output "enable_ipv6"{
+ value = var.enable_ipv6
+}
diff --git a/modules/autoscale_gwlb/variables.tf b/modules/autoscale_gwlb/variables.tf
index 6262fe8..2de884d 100755
--- a/modules/autoscale_gwlb/variables.tf
+++ b/modules/autoscale_gwlb/variables.tf
@@ -190,4 +190,9 @@ variable "security_rules" {
cidr_blocks = list(string)
}))
default = []
+}
+variable "enable_ipv6" {
+ type = bool
+ description = "Enable IPv6 settings of AWS resources."
+ default = false
}
\ No newline at end of file
diff --git a/modules/gwlb/README.md b/modules/gwlb/README.md
index a244750..17a93ab 100755
--- a/modules/gwlb/README.md
+++ b/modules/gwlb/README.md
@@ -137,6 +137,7 @@ module "example_module" {
| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2
**Default:** gp3 |
| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). | string | |
| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. For R81.10 and below the Admin user's password is used also as maintenance-mode password. (To generate a password hash use the command "grub2-mkpasswd-pbkdf2" on Linux and paste it here). | string | |
+| enable_ipv6 | Enables dual-stack networking (IPv4 and IPv6) for the GWLB, [Please see version compatibility in the following guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_AWS_Gateway_Load_Balancer_ASG/Content/Topics-AWS-GWLB-ASG-DG/IPv6-Support.htm) | bool | true/false
**Default:** false |
## Outputs
To display the outputs defined by the module, create an `outputs.tf` file with the following structure:
@@ -154,5 +155,5 @@ output "instance_public_ip" {
| gwlb_name | The name of the deployed Gateway Load Balancer |
| gwlb_service_name | The service name for the deployed Gateway Load Balancer |
| gwlb_arn | The arn for the deployed Gateway Load Balancer |
-
+| enable_ipv6 | Dual-stack IPv4/IPv6 compatible |
diff --git a/modules/gwlb/main.tf b/modules/gwlb/main.tf
index 60f1d14..e36cf74 100755
--- a/modules/gwlb/main.tf
+++ b/modules/gwlb/main.tf
@@ -18,13 +18,14 @@ module "gateway_load_balancer" {
target_group_port = 6081
listener_port = 6081
cross_zone_load_balancing = var.enable_cross_zone_load_balancing
+ enable_ipv6 = var.enable_ipv6
}
resource "aws_vpc_endpoint_service" "gwlb_endpoint_service" {
depends_on = [module.gateway_load_balancer]
gateway_load_balancer_arns = module.gateway_load_balancer[*].load_balancer_arn
acceptance_required = var.connection_acceptance_required
-
+ supported_ip_address_types = var.enable_ipv6 ? ["ipv4", "ipv6"] : ["ipv4"]
tags = {
"Name" = "gwlb-endpoint-service-${var.gateway_load_balancer_name}"
}
@@ -58,6 +59,7 @@ module "autoscale_gwlb" {
management_server = var.management_server
configuration_template = var.configuration_template
volume_type = var.volume_type
+ enable_ipv6 = var.enable_ipv6
}
data "aws_region" "current"{}
diff --git a/modules/gwlb/output.tf b/modules/gwlb/output.tf
index 3beba7e..a32f428 100755
--- a/modules/gwlb/output.tf
+++ b/modules/gwlb/output.tf
@@ -19,4 +19,7 @@ output "controller_name" {
}
output "template_name" {
value = var.configuration_template
+}
+output "enable_ipv6"{
+ value = var.enable_ipv6
}
\ No newline at end of file
diff --git a/modules/gwlb/variables.tf b/modules/gwlb/variables.tf
index ad0988f..1cdf41b 100755
--- a/modules/gwlb/variables.tf
+++ b/modules/gwlb/variables.tf
@@ -243,4 +243,9 @@ variable "volume_type" {
type = string
description = "General Purpose SSD Volume Type"
default = "gp3"
+}
+variable "enable_ipv6" {
+ type = bool
+ description = "Enable IPv6 settings of AWS resources."
+ default = false
}
\ No newline at end of file
diff --git a/modules/gwlb_master/README.md b/modules/gwlb_master/README.md
index 106c009..3cca19f 100755
--- a/modules/gwlb_master/README.md
+++ b/modules/gwlb_master/README.md
@@ -82,6 +82,7 @@ module "example_module" {
gateway_management = "Locally managed"
admin_cidr = ""
gateways_addresses = ""
+ enable_ipv6 = false
// --- Other parameters ---
volume_type = "gp3"
@@ -91,47 +92,48 @@ module "example_module" {
## Inputs
-| Name | Description | Type | Allowed values |
-|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| vpc_cidr | The CIDR block of the VPC | string | |
-| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g., {"us-east-1a" = 1}) | map | |
-| subnets_bit_length | Number of additional bits with which to extend the VPC CIDR. For example, if given a `vpc_cidr` ending in /16 and a `subnets_bit_length` value of 4, the resulting subnet address will have length /20 | number | |
-| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | |
-| enable_volume_encryption | Encrypt environment instances volume with the default AWS KMS key | bool | true/false
**Default:** true |
-| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false
**Default:** false |
-| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true, Terraform destroy won't work properly | bool | true/false
**Default:** false |
-| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false
**Default:** true |
-| volume_size | Instances volume size | number | **Default:** 100 |
-| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false
**Default:** true |
-| management_server | The name that represents the Security Management Server in the automatic provisioning configuration | string | **Default:** CP-Management-gwlb-tf |
-| configuration_template | The tag used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | **Default:** gwlb-configuration |
-| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh
**Default:** /etc/cli.sh |
-| gateway_load_balancer_name | Load Balancer name in AWS | string | **Default:** gwlb1 |
-| target_group_name | Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. | string | **Default:** tg1 |
-| connection_acceptance_required | Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false (acceptance not required). | bool | true/false
**Default:** false |
-| enable_cross_zone_load_balancing | Select 'true' to enable cross-az load balancing. NOTE: this may cause a spike in cross-az charges. | bool | true/false
**Default:** true |
-| gateway_name | The name tag of the Security Gateway instances. (optional) | string | **Default:** Check-Point-GW-tf |
-| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge
- m6a.32xlarge
- m6a.48xlarge
**Default:** c5.xlarge |
-| gateways_min_group_size | The minimal number of Security Gateways | number | **Default:** 2 |
-| gateways_max_group_size | The maximal number of Security Gateways | number | **Default:** 10 |
-| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX
**Default:** R81.20-BYOL |
-| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | **Default:** "" |
-| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | **Default:** "12345678" |
-| enable_cloudwatch | Report Check Point-specific CloudWatch metrics | bool | true/false
**Default:** false |
-| gateway_bootstrap_script | (Optional) An optional script with semicolon (;) separated commands to run on the initial boot | string | **Default:** "" |
-| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address | string | - private
- public
**Default:** private |
-| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false
**Default:** false |
-| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false
**Default:** true |
-| management_instance_type | The EC2 instance type of the Security Management Server | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge
- m6a.32xlarge
- m6a.48xlarge
**Default:** m5.xlarge |
-| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG
**Default:** R81.20-BYOL |
-| management_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. | string | **Default:** "" |
-| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | **Default:** Standard |
-| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet
**Default:** Locally managed |
-| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR
|
-| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR
|
-| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2
**Default:** gp3 |
-| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. | string | **Default:** "" |
-| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. | string | **Default:** "" |
+| Name | Description | Type | Allowed values |
+|-------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| vpc_cidr | The CIDR block of the VPC | string | |
+| public_subnets_map | A map of pairs {availability-zone = subnet-suffix-number}. Each entry creates a subnet. Minimum 1 pair. (e.g., {"us-east-1a" = 1}) | map | |
+| subnets_bit_length | Number of additional bits with which to extend the VPC CIDR. For example, if given a `vpc_cidr` ending in /16 and a `subnets_bit_length` value of 4, the resulting subnet address will have length /20 | number | |
+| key_name | The EC2 Key Pair name to allow SSH access to the instances | string | |
+| enable_volume_encryption | Encrypt environment instances volume with the default AWS KMS key | bool | true/false
**Default:** true |
+| enable_instance_connect | Enable SSH connection over AWS web console. Supporting regions can be found [here](https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/) | bool | true/false
**Default:** false |
+| disable_instance_termination | Prevents an instance from accidental termination. Note: Once this attribute is true, Terraform destroy won't work properly | bool | true/false
**Default:** false |
+| metadata_imdsv2_required | Set true to deploy the instance with metadata v2 token required | bool | true/false
**Default:** true |
+| volume_size | Instances volume size | number | **Default:** 100 |
+| allow_upload_download | Automatically download Blade Contracts and other important data. Improve product experience by sending data to Check Point | bool | true/false
**Default:** true |
+| management_server | The name that represents the Security Management Server in the automatic provisioning configuration | string | **Default:** CP-Management-gwlb-tf |
+| configuration_template | The tag used by the Security Management Server to automatically provision the Security Gateways. Must be up to 12 alphanumeric characters and unique for each Quick Start deployment | string | **Default:** gwlb-configuration |
+| admin_shell | Set the admin shell to enable advanced command line configuration | string | - /etc/cli.sh
- /bin/bash
- /bin/csh
- /bin/tcsh
**Default:** /etc/cli.sh |
+| gateway_load_balancer_name | Load Balancer name in AWS | string | **Default:** gwlb1 |
+| target_group_name | Target Group Name. This name must be unique within your AWS account and can have a maximum of 32 alphanumeric characters and hyphens. | string | **Default:** tg1 |
+| connection_acceptance_required | Indicate whether requests from service consumers to create an endpoint to your service must be accepted. Default is set to false (acceptance not required). | bool | true/false
**Default:** false |
+| enable_cross_zone_load_balancing | Select 'true' to enable cross-az load balancing. NOTE: this may cause a spike in cross-az charges. | bool | true/false
**Default:** true |
+| gateway_name | The name tag of the Security Gateway instances. (optional) | string | **Default:** Check-Point-GW-tf |
+| gateway_instance_type | The instance type of the Security Gateways | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge
- m6a.32xlarge
- m6a.48xlarge
**Default:** c5.xlarge |
+| gateways_min_group_size | The minimal number of Security Gateways | number | **Default:** 2 |
+| gateways_max_group_size | The maximal number of Security Gateways | number | **Default:** 10 |
+| gateway_version | Gateway version and license | string | - R81.20-BYOL
- R81.20-PAYG-NGTP
- R81.20-PAYG-NGTX
- R82-BYOL
- R82-PAYG-NGTP
- R82-PAYG-NGTX
**Default:** R81.20-BYOL |
+| gateway_password_hash | (Optional) Admin user's password hash (use command 'openssl passwd -6 PASSWORD' to get the PASSWORD's hash) | string | **Default:** "" |
+| gateway_SICKey | The Secure Internal Communication key for trusted connection between Check Point components. Choose a random string consisting of at least 8 alphanumeric characters | string | **Default:** "12345678" |
+| enable_cloudwatch | Report Check Point-specific CloudWatch metrics | bool | true/false
**Default:** false |
+| gateway_bootstrap_script | (Optional) An optional script with semicolon (;) separated commands to run on the initial boot | string | **Default:** "" |
+| gateways_provision_address_type | Determines if the gateways are provisioned using their private or public address | string | - private
- public
**Default:** private |
+| allocate_public_IP | Allocate a Public IP for gateway members. | bool | true/false
**Default:** false |
+| management_deploy | Select 'false' to use an existing Security Management Server or to deploy one later and to ignore the other parameters of this section | bool | true/false
**Default:** true |
+| management_instance_type | The EC2 instance type of the Security Management Server | string | - c4.large
- c4.xlarge
- c5.large
- c5.xlarge
- c5.2xlarge
- c5.4xlarge
- c5.9xlarge
- c5.12xlarge
- c5.18xlarge
- c5.24xlarge
- c5n.large
- c5n.xlarge
- c5n.2xlarge
- c5n.4xlarge
- c5n.9xlarge
- c5n.18xlarge
- c5d.large
- c5d.xlarge
- c5d.2xlarge
- c5d.4xlarge
- c5d.9xlarge
- c5d.12xlarge
- c5d.18xlarge
- c5d.24xlarge
- m5.large
- m5.xlarge
- m5.2xlarge
- m5.4xlarge
- m5.8xlarge
- m5.12xlarge
- m5.16xlarge
- m5.24xlarge
- m6i.large
- m6i.xlarge
- m6i.2xlarge
- m6i.4xlarge
- m6i.8xlarge
- m6i.12xlarge
- m6i.16xlarge
- m6i.24xlarge
- m6i.32xlarge
- c6i.large
- c6i.xlarge
- c6i.2xlarge
- c6i.4xlarge
- c6i.8xlarge
- c6i.12xlarge
- c6i.16xlarge
- c6i.24xlarge
- c6i.32xlarge
- c6in.large
- c6in.xlarge
- c6in.2xlarge
- c6in.4xlarge
- c6in.8xlarge
- c6in.12xlarge
- c6in.16xlarge
- c6in.24xlarge
- c6in.32xlarge
- r5.large
- r5.xlarge
- r5.2xlarge
- r5.4xlarge
- r5.8xlarge
- r5.12xlarge
- r5.16xlarge
- r5.24xlarge
- r5a.large
- r5a.xlarge
- r5a.2xlarge
- r5a.4xlarge
- r5a.8xlarge
- r5a.12xlarge
- r5a.16xlarge
- r5a.24xlarge
- r5b.large
- r5b.xlarge
- r5b.2xlarge
- r5b.4xlarge
- r5b.8xlarge
- r5b.12xlarge
- r5b.16xlarge
- r5b.24xlarge
- r5n.large
- r5n.xlarge
- r5n.2xlarge
- r5n.4xlarge
- r5n.8xlarge
- r5n.12xlarge
- r5n.16xlarge
- r5n.24xlarge
- r6i.large
- r6i.xlarge
- r6i.2xlarge
- r6i.4xlarge
- r6i.8xlarge
- r6i.12xlarge
- r6i.16xlarge
- r6i.24xlarge
- r6i.32xlarge
- m6a.large
- m6a.xlarge
- m6a.2xlarge
- m6a.4xlarge
- m6a.8xlarge
- m6a.12xlarge
- m6a.16xlarge
- m6a.24xlarge
- m6a.32xlarge
- m6a.48xlarge
**Default:** m5.xlarge |
+| management_version | The license to install on the Security Management Server | string | - R81.10-BYOL
- R81.10-PAYG
- R81.20-BYOL
- R81.20-PAYG
**Default:** R81.20-BYOL |
+| management_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. | string | **Default:** "" |
+| gateways_policy | The name of the Security Policy package to be installed on the gateways in the Security Gateways Auto Scaling group | string | **Default:** Standard |
+| gateway_management | Select 'Over the internet' if any of the gateways you wish to manage are not directly accessed via their private IP address. | string | - Locally managed
- Over the internet
**Default:** Locally managed |
+| admin_cidr | (CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Management Server | string | valid CIDR
|
+| gateway_addresses | (CIDR) Allow gateways only from this network to communicate with the Management Server | string | valid CIDR
|
+| volume_type | General Purpose SSD Volume Type | string | - gp3
- gp2
**Default:** gp3 |
+| gateway_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. | string | **Default:** "" |
+| management_maintenance_mode_password_hash | Check Point recommends setting Admin user's password and maintenance-mode password for recovery purposes. | string | **Default:** "" |
+| enable_ipv6 | Enables dual-stack networking (IPv4 and IPv6) for the GWLB, [Please see version compatibility in the following guide](https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Network_for_AWS_Gateway_Load_Balancer_ASG/Content/Topics-AWS-GWLB-ASG-DG/IPv6-Support.htm) | bool | true/false
**Default:** false |
## Outputs
@@ -149,4 +151,5 @@ output "instance_public_ip" {
| controller_name | The controller name in CME. |
| gwlb_name | The name of the deployed Gateway Load Balancer |
| gwlb_service_name | The service name for the deployed Gateway Load Balancer |
-| gwlb_arn | The arn for the deployed Gateway Load Balancer |
\ No newline at end of file
+| gwlb_arn | The arn for the deployed Gateway Load Balancer |
+| enable_ipv6 | Dual-stack IPv4/IPv6 compatible |
diff --git a/modules/gwlb_master/main.tf b/modules/gwlb_master/main.tf
index 0a6a98f..e02c1f8 100755
--- a/modules/gwlb_master/main.tf
+++ b/modules/gwlb_master/main.tf
@@ -5,6 +5,7 @@ module "launch_vpc" {
public_subnets_map = var.public_subnets_map
private_subnets_map = {}
subnets_bit_length = var.subnets_bit_length
+ enable_ipv6 = var.enable_ipv6
}
module "gwlb" {
@@ -56,4 +57,5 @@ module "gwlb" {
gateways_addresses = var.gateways_addresses
volume_type = var.volume_type
+ enable_ipv6 = var.enable_ipv6
}
\ No newline at end of file
diff --git a/modules/gwlb_master/output.tf b/modules/gwlb_master/output.tf
index 15cb48a..1db63d7 100755
--- a/modules/gwlb_master/output.tf
+++ b/modules/gwlb_master/output.tf
@@ -21,4 +21,7 @@ output "controller_name" {
}
output "template_name" {
value = var.configuration_template
+}
+output "enable_ipv6"{
+ value = var.enable_ipv6
}
\ No newline at end of file
diff --git a/modules/gwlb_master/variables.tf b/modules/gwlb_master/variables.tf
index e003878..8358bd3 100755
--- a/modules/gwlb_master/variables.tf
+++ b/modules/gwlb_master/variables.tf
@@ -254,4 +254,9 @@ variable "volume_type" {
type = string
description = "General Purpose SSD Volume Type"
default = "gp3"
+}
+variable "enable_ipv6" {
+ type = bool
+ description = "Enable IPv6 settings of AWS resources."
+ default = false
}
\ No newline at end of file
diff --git a/modules/load_balancer/main.tf b/modules/load_balancer/main.tf
index 18b3b75..4ab4421 100755
--- a/modules/load_balancer/main.tf
+++ b/modules/load_balancer/main.tf
@@ -12,6 +12,7 @@ resource "aws_lb" "load_balancer" {
security_groups = var.security_groups
tags = var.tags
enable_cross_zone_load_balancing = var.cross_zone_load_balancing
+ ip_address_type = var.enable_ipv6 ? "dualstack" : "ipv4"
}
resource "aws_lb_target_group" "lb_target_group" {
name = substr(format("%s-%s", "${var.prefix_name}-TG", random_id.unique_lb_id.hex), 0, 32)
diff --git a/modules/load_balancer/output.tf b/modules/load_balancer/output.tf
index 6312360..3ef5d9a 100755
--- a/modules/load_balancer/output.tf
+++ b/modules/load_balancer/output.tf
@@ -15,4 +15,7 @@ output "target_group_arn" {
}
output "load_balancer_tags" {
value = aws_lb.load_balancer.tags
+}
+output "enable_ipv6"{
+ value = var.enable_ipv6
}
\ No newline at end of file
diff --git a/modules/load_balancer/variables.tf b/modules/load_balancer/variables.tf
index 2e143fc..eeac58d 100755
--- a/modules/load_balancer/variables.tf
+++ b/modules/load_balancer/variables.tf
@@ -59,4 +59,9 @@ variable "health_check_protocol" {
description = "The health check protocol"
type = string
default = null
+}
+variable "enable_ipv6" {
+ type = bool
+ description = "Enable IPv6 settings of AWS resources."
+ default = false
}
\ No newline at end of file
diff --git a/modules/vpc/main.tf b/modules/vpc/main.tf
index b4b223b..7e85501 100755
--- a/modules/vpc/main.tf
+++ b/modules/vpc/main.tf
@@ -1,6 +1,7 @@
// --- VPC ---
resource "aws_vpc" "vpc" {
cidr_block = var.vpc_cidr
+ assign_generated_ipv6_cidr_block = var.enable_ipv6
}
// --- Internet Gateway ---
@@ -15,6 +16,7 @@ resource "aws_subnet" "public_subnets" {
vpc_id = aws_vpc.vpc.id
availability_zone = each.key
cidr_block = cidrsubnet(aws_vpc.vpc.cidr_block, var.subnets_bit_length, each.value)
+ ipv6_cidr_block = var.enable_ipv6 ? cidrsubnet(aws_vpc.vpc.ipv6_cidr_block, var.subnets_bit_length, each.value) : null
map_public_ip_on_launch = true
tags = {
Name = format("Public subnet %s", each.value)
@@ -28,6 +30,7 @@ resource "aws_subnet" "private_subnets" {
vpc_id = aws_vpc.vpc.id
availability_zone = each.key
cidr_block = cidrsubnet(aws_vpc.vpc.cidr_block, var.subnets_bit_length, each.value)
+ ipv6_cidr_block = var.enable_ipv6 ? cidrsubnet(aws_vpc.vpc.ipv6_cidr_block, var.subnets_bit_length, each.value) : null
tags = {
Name = format("Private subnet %s", each.value)
}
@@ -40,6 +43,7 @@ resource "aws_subnet" "tgw_subnets" {
vpc_id = aws_vpc.vpc.id
availability_zone = each.key
cidr_block = cidrsubnet(aws_vpc.vpc.cidr_block, var.subnets_bit_length, each.value)
+ ipv6_cidr_block = var.enable_ipv6 ? cidrsubnet(aws_vpc.vpc.ipv6_cidr_block, var.subnets_bit_length, each.value) : null
tags = {
Name = format("tgw subnet %s", each.value)
}
@@ -58,6 +62,12 @@ resource "aws_route" "vpc_internet_access" {
destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.igw.id
}
+resource "aws_route" "vpc_internet_access_ipv6" {
+ count = var.enable_ipv6 ? 1 : 0
+ route_table_id = aws_route_table.public_subnet_rtb.id
+ destination_ipv6_cidr_block = "::/0"
+ gateway_id = aws_internet_gateway.igw.id
+}
resource "aws_route_table_association" "public_rtb_to_public_subnets" {
for_each = { for public_subnet in aws_subnet.public_subnets : public_subnet.cidr_block => public_subnet.id }
route_table_id = aws_route_table.public_subnet_rtb.id
diff --git a/modules/vpc/output.tf b/modules/vpc/output.tf
index fc4173c..fec9c18 100755
--- a/modules/vpc/output.tf
+++ b/modules/vpc/output.tf
@@ -16,3 +16,6 @@ output "public_rtb" {
output "aws_igw" {
value = aws_internet_gateway.igw.id
}
+output "enable_ipv6"{
+ value = aws_vpc.vpc.assign_generated_ipv6_cidr_block
+}
\ No newline at end of file
diff --git a/modules/vpc/variables.tf b/modules/vpc/variables.tf
index 2623f9d..b1277f8 100755
--- a/modules/vpc/variables.tf
+++ b/modules/vpc/variables.tf
@@ -19,4 +19,9 @@ variable "subnets_bit_length" {
type = number
description = "Number of additional bits with which to extend the vpc cidr. For example, if given a vpc_cidr ending in /16 and a subnets_bit_length value of 4, the resulting subnet address will have length /20."
}
+variable "enable_ipv6" {
+ type = bool
+ description = "Enable IPv6 settings of AWS resources."
+ default = false
+}