New master

Author: chkp-eddiek

README.md

@@ -0,0 +1,112 @@
+
+
+# Terraform Modules for CloudGuard Network Security (CGNS) — VMware (by Broadcom)
+
+## Introduction
+This repository provides a structured set of Terraform modules for deploying Check Point CloudGuard Network Security in VMware vCenter.<br>
+These modules automate the creation of Security Gateways and Management servers.<br>
+The repository contains:
+* Terraform modules
+* Community-supported content
+
+### Prerequisites
+* Terraform version v1.10.5 or later.
+* VMware vCenter Server v7.0 or later.
+* Check Point CloudGuard Network Security OVAs from [CloudGuard Network for Private Cloud images
+  ](https://support.checkpoint.com/results/sk/sk158292) R81.20 or later.
+
+## Repository Structure
+`Submodules:` Contains modular, reusable, production-grade Terraform components, each with its own documentation.
+
+<!-- `Examples:` Demonstrates how to use the modules. -->
+
+**Submodules:**
+
+* [`single_gateway`](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/vmware/latest/submodules/single_gateway) - Deploys CloudGuard Single Gateway solution into an existing network.
+* [`management`](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/vmware/latest/submodules/management) - Deploys CloudGuard Management Server solution into an existing network.
+
+
+
+***
+
+# Best Practices for Using CloudGuard Modules
+
+## Step 1: Use the Required Module
+Add the required module in your Terraform configuration file to deploy resources. For example:
+
+```hcl
+provider "vsphere" {}
+
+module "example_module" {
+  source  = "CheckPointSW/cloudguard-network-security/vmware//modules/{module_name}"
+  version = "{chosen_version}"
+  # Add the required inputs
+}
+```
+---
+## Step 2: Open the Terminal
+Ensure you have [Terraform](https://developer.hashicorp.com/terraform/install) installed and navigate to the directory
+where your Terraform configuration file is located using the appropriate terminal:
+- **Linux**: **Terminal**.
+- **Windows**: **PowerShell** or **Command Prompt**.
+
+---
+
+## Step 3: Set Environment Variables
+Set the required environment variables.
+
+
+### Linux
+```bash
+export VSPHERE_USER="your_vsphere_username"
+export VSPHERE_PASSWORD="your_vsphere_password"
+export VSPHERE_SERVER="your_vsphere_server"
+export VSPHERE_ALLOW_UNVERIFIED_SSL="false"  # Set to "true" if vCenter is using self-signed certificate
+```
+### PowerShell (Windows)
+```PowerShell
+$env:VSPHERE_USER="your_vsphere_username"
+$env:VSPHERE_PASSWORD="your_vsphere_password"
+$env:VSPHERE_SERVER"your_vsphere_server"
+$env:VSPHERE_ALLOW_UNVERIFIED_SSL = "false"  # Set to "true" if vCenter is using self-signed certificate
+```
+### Command Prompt (Windows)
+```cmd
+set VSPHERE_SERVER=your_vsphere_server
+set VSPHERE_USER=your_vsphere_username
+set VSPHERE_PASSWORD=your_vsphere_password
+set VSPHERE_ALLOW_UNVERIFIED_SSL=false  # Set to `true` if vCenter is using self-signed certificate
+```
+---
+
+## Step 4: Deploy with Terraform
+Use Terraform commands to deploy resources securely.
+
+### Initialize Terraform
+Prepare the working directory and download required provider plugins:
+```shell
+terraform init
+```
+
+### Plan Deployment
+Preview the changes Terraform will make:
+```shell
+terraform plan
+```
+### Apply Deployment
+Apply the planned changes and deploy the resources:
+```shell
+terraform apply
+```
+Notes:
+1. Type `yes` when prompted to confirm the deployment.
+2. The deployment takes a few minutes to complete (depending on the deployment size, can take ~30 minutes).
+
+## Related Products and Solutions
+* CloudGuard Network Security for [AWS](https://github.com/CheckPointSW/terraform-aws-cloudguard-network-security)
+* CloudGuard Network Security for [Azure](https://github.com/CheckPointSW/terraform-azure-cloudguard-network-security)
+
+## References
+* For more information about Check Point CloudGuard for Public Cloud, see https://www.checkpoint.com/products/iaas-public-cloud-security/
+* CloudGuard documentation is available at https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk132552&
+* CloudGuard Network CheckMates community is available at https://community.checkpoint.com/t5/CloudGuard-IaaS/bd-p/cloudguard-iaas

modules/management/README.md

@@ -0,0 +1,97 @@
+# Management Module
+
+This Terraform module deploys a Check-Point CloudGuard Network Security Management Server solution into a vSphere
+environment using an OVA template.
+
+### Prerequisites
+
+Check Point CloudGuard Network Security **"All deployment types" OVA**
+from [CloudGuard Network for Private Cloud images](https://support.checkpoint.com/results/sk/sk158292) R81.20 or later.
+
+## Usage
+
+Follow best practices for using CGNS modules
+on [main readme.md file](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/vmware/latest).
+
+## Example Usage
+
+```hcl
+provider "vsphere" {}
+
+module "management" {
+  source = "CheckPointSW/cloudguard-network-security/vmware//modules/management"
+
+  // VMware vCenter configuration
+  datacenter_name   = "datacenter"
+  resource_pool     = "my-pool"
+  datastore         = "datastore-1"
+  esxi_host         = "172.23.24.20"
+  eth0_network_name = "external-network"
+  local_ovf_path = "/home/file/jaguar_opt_main-777-991001696"
+  hostname          = "Management-Server-example"
+
+  // Management configuration
+  eth0_ipaddress       = "172.23.24.10"
+  eth0_subnet_mask     = 24
+  eth0_gateway_address = "172.23.24.1"
+  hostname             = "Management-example"
+  admin_password       = "AdminPassword123!"
+  mgmt_admin_passwd    = "guiPassword123!"
+  maintenance_hash     = "maintenancePassword123!"
+  ssh_key              = ""
+}
+```
+
+## Argument Reference
+
+- `datacenter_name`: (**Required**) The name of the vSphere datacenter.
+- `resource_pool`: (**Required**) The resource pool in vCenter host name.
+- `datastore`: (**Required**) The datastore name.
+- `esxi_host`: (**Required**) The ESXi host name.
+- `eth0_network_name`: (**Required**) The external network name.
+- `local_ovf_path`: (**Required**) The local path to the OVF/OVA file.
+- `admin_password`: (**Required**) Admin password.
+- `hostname`: (**Required**) Management server hostname.
+- `mgmt_gui_passwd`: (**Required**) Management GUI Client Password.
+- `maintenance_hash`: (**Required**) Default maintenance password.
+- `display_name`: (Optional) The display name of the Management server (from vCenter view). Default is the same as the `hostname`.
+- `eth0_ipaddress`: (Optional) IP address for eth0. Leave blank for DHCP.
+- `eth0_subnet_mask`: (Optional) Subnet mask for eth0. default is `24`. Leave blank for DHCP.
+- `eth0_gateway_address`: (Optional) Gateway address for eth0. Leave blank for DHCP.
+- `num_cpus`: (Optional) Number of CPUs for the Security Management.
+- `num_cores_per_socket`: (Optional) Number of cores per socket for the Security Management.
+- `memory`: (Optional) Memory size for the Security Management in MB.
+- `provision`: (Optional) Provision type (thin, flat, thick). 
+- `primary_dns`: (Optional) Primary DNS server.
+- `proxy_port`: (Optional) Port of the proxy server.
+- `proxy_address`: (Optional) Address of the proxy server.
+- `ntp_primary`: (Optional) Primary NTP server.
+- `ntp_primary_version`: (Optional) Version of the primary NTP server. Default is `4`.
+- `mgmt_gui_clients_radio`: (Optional) Management GUI Clients Restriction. (any, range, network, this). `any` by default
+- `mgmt_gui_clients_first_value`: (Optional) Depends "mgmt_gui_clients_radio" value:<br>If "any": leave blank<br>If "
+  range": First IP in range for GUI clients.<br>If "network": Network address for GUI clients.<br>If "this": In case of
+  a single IP address.
+- `mgmt_gui_clients_second_value`: (Optional) Depends "mgmt_gui_clients_radio" value:<br>If "any": leave blank<br>If "
+  range": Last IP in range for GUI clients.<br>If "network": Network mask for GUI clients.
+- `high_availability_configuration`: (Optional) High availability configuration (Primary, Secondary). `Primary` by
+  default.
+- `ssh_key`: (Optional) SSH key.
+- `clish_commands`: (Optional) Additional Clish commands in **base64**.
+- `additional_configuration`: (Optional) Additional shell commands **in base64**.
+- `custom_attributes`: (Optional) Map of custom attribute ids to attribute value strings to set for virtual machine.
+  Please refer to
+  the [vsphere_custom_attributes](https://registry.terraform.io/providers/hashicorp/vsphere/latest/docs/resources/custom_attribute#using-custom-attributes-in-a-supported-resource)
+  resource for more information on setting custom attributes.
+- `sic_for_secondary_mgmt`: (Optional) Secure Internal Communication key for secondary management.
+- `download_info`: (Optional) Automatically download and install Software Blade Contracts, security updates, and other
+  important data (very recommended). See sk175504. `Yes` by default
+- `upload_info`: (Optional) Help Check Point improve the product by sending anonymous information. See sk175504. `Yes`
+  by default.
+
+## Outputs
+
+- `ip_external`: External IP (eth0).
+- `hostname`: The name of the Security Management Server.
+- `managed_object_id`: The managed object ID of the Security Management Server.
+
+```

modules/management/main.tf

@@ -0,0 +1,107 @@
+data "vsphere_datacenter" "datacenter" {
+  name = var.datacenter_name
+}
+
+data "vsphere_datastore" "datastore" {
+  name          = var.datastore
+  datacenter_id = data.vsphere_datacenter.datacenter.id
+}
+
+data "vsphere_resource_pool" "pool" {
+  name          = var.resource_pool
+  datacenter_id = data.vsphere_datacenter.datacenter.id
+}
+
+data "vsphere_host" "host" {
+  name          = var.esxi_host
+  datacenter_id = data.vsphere_datacenter.datacenter.id
+}
+
+data "vsphere_network" "eth0_network" {
+  name          = var.eth0_network_name
+  datacenter_id = data.vsphere_datacenter.datacenter.id
+}
+
+data "vsphere_ovf_vm_template" "ovf" {
+  name              = "Management-OVA"
+  disk_provisioning = var.provision
+  resource_pool_id  = data.vsphere_resource_pool.pool.id
+  datastore_id      = data.vsphere_datastore.datastore.id
+  host_system_id    = data.vsphere_host.host.id
+  local_ovf_path    = var.local_ovf_path
+}
+
+resource "vsphere_virtual_machine" "vm" {
+  name             = var.host_display_name != "" ? var.host_display_name : var.hostname
+  datacenter_id    = data.vsphere_datacenter.datacenter.id
+  datastore_id     = data.vsphere_datastore.datastore.id
+  host_system_id   = data.vsphere_host.host.id
+  resource_pool_id = data.vsphere_resource_pool.pool.id
+
+  num_cpus             = var.num_cpus != 0 ? var.num_cpus : data.vsphere_ovf_vm_template.ovf.num_cpus
+  num_cores_per_socket = var.num_cores_per_socket != 0 ? var.num_cores_per_socket : data.vsphere_ovf_vm_template.ovf.num_cores_per_socket
+  memory               = var.memory != 0 ? var.memory : data.vsphere_ovf_vm_template.ovf.memory
+  guest_id             = data.vsphere_ovf_vm_template.ovf.guest_id
+  annotation           = data.vsphere_ovf_vm_template.ovf.annotation
+  firmware             = data.vsphere_ovf_vm_template.ovf.firmware
+  nested_hv_enabled    = data.vsphere_ovf_vm_template.ovf.nested_hv_enabled
+  scsi_type            = data.vsphere_ovf_vm_template.ovf.scsi_type
+  custom_attributes    = var.custom_attributes
+
+  network_interface {
+    network_id = data.vsphere_network.eth0_network.id
+  }
+
+
+  ovf_deploy {
+    allow_unverified_ssl_cert = true
+    local_ovf_path            = data.vsphere_ovf_vm_template.ovf.local_ovf_path
+    disk_provisioning         = var.provision
+    ovf_network_map           = data.vsphere_ovf_vm_template.ovf.ovf_network_map
+    enable_hidden_properties  = true // Dont Change!
+  }
+
+  vapp {
+    properties = {
+      "hostname"             = var.hostname,
+      "run_ftw"              = "Yes",
+      "CheckPoint.adminHash" = var.admin_password
+      "eth0.ipaddress"       = var.eth0_ipaddress
+      "eth0.subnetmask"      = var.eth0_subnet_mask
+      "eth0.gatewayaddress"  = var.eth0_gateway_address
+
+      "primary"       = var.primary_dns
+      "proxy_port"    = var.proxy_port
+      "proxy_address" = var.proxy_address
+      "ntp_primary"   = var.ntp_primary
+      "ntp_primary_version" = var.ntp_primary_version // default is 4
+      "ssh_key" = var.ssh_key
+
+      // MGMT configuration
+      "mgmt_admin_passwd"               = var.mgmt_gui_password
+      "mgmt_gui_clients_radio"          = var.mgmt_gui_clients_radio
+      "mgmt_gui_clients_first_value"    = var.mgmt_gui_clients_first_value
+      "mgmt_gui_clients_second_value"   = var.mgmt_gui_clients_second_value
+      "high_availability_configuration" = var.high_availability_configuration
+      "CheckPoint.ftwSicKey"            = var.sic_for_secondary_mgmt
+      "maintenance_hash"                = var.maintenance_hash
+
+      "clish_commands" = var.clish_commands
+      "additional_configuration" = var.additional_configuration
+      // DO NOT CHANGE "user_data"!
+      "user_data"      = var.user_data
+    }
+  }
+
+  wait_for_guest_net_routable = false
+  wait_for_guest_net_timeout  = 0
+  lifecycle {
+    ignore_changes = [
+      num_cpus,
+      num_cores_per_socket,
+      memory,
+      annotation,
+      vapp[0].properties
+    ]
+  }
+}

modules/management/outputs.tf

@@ -0,0 +1,11 @@
+output "ip_external" {
+  value = vsphere_virtual_machine.vm.default_ip_address
+}
+
+output "hostname" {
+  value = vsphere_virtual_machine.vm.name
+}
+
+output "managed_object_id" {
+  value = vsphere_virtual_machine.vm.moid
+}