|
| 1 | + |
| 2 | + |
| 3 | + |
| 4 | + |
| 5 | + |
| 6 | + |
| 7 | + |
| 8 | +# Terraform Modules for CloudGuard Network Security (CGNS) - Azure |
| 9 | + |
| 10 | + |
| 11 | +## Introduction |
| 12 | +This repository provides a structured set of Terraform modules for deploying Check Point CloudGuard Network Security in Microsoft Azure. These modules automate the creation of Virtual Networks, Security Gateways, High-Availability architectures, and more, enabling secure and scalable cloud deployments. |
| 13 | + |
| 14 | +## Repository Structure |
| 15 | +`Submodules:` Contains modular, reusable, production-grade Terraform components, each with its own documentation. |
| 16 | + |
| 17 | +`Examples:` Demonstrates how to use the modules. |
| 18 | + |
| 19 | + |
| 20 | +**Submodules:** |
| 21 | + |
| 22 | +* [`high_availability_existing_vnet`](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest/submodules/high_availability_existing_vnet) - Deploys CloudGuard High Availability solution into an existing VNet in azure. |
| 23 | + |
| 24 | +* [`high_availability_new_vnet`](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest/submodules/high_availability_new_vnet) Deploys CloudGuard High Availability solution into a new VNet. |
| 25 | + |
| 26 | +* [`management_existing_vnet`](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest/submodules/management_existing_vnet) - Deploys CloudGuard Management solution into an existing VNet. |
| 27 | + |
| 28 | +* [`management_new_vnet`](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest/submodules/management_new_vnet) - Deploys CloudGuard Management solution into a new VNet. |
| 29 | + |
| 30 | +* [`mds_existing_vnet`](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest/submodules/mds_existing_vnet) - Deploys CloudGuard Management solution into a new VNet. |
| 31 | + |
| 32 | +* [`mds_new_vnet`](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest/submodules/mds_new_vnet) - Deploys CloudGuard Management solution into a new VNet. |
| 33 | + |
| 34 | +* [`nva_into_existing_hub`](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest/submodules/nva_into_existing_hub) - Deploys CloudGuard Virtual WAN NVA solution into an existing vWAN Hub. |
| 35 | + |
| 36 | +* [`nva_into_new_vwan`](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest/submodules/nva_into_new_vwan) - Deploys CloudGuard Virtual WAN NVA solution into a new vWAN Hub. |
| 37 | + |
| 38 | +* [`single_gateway_existing_vnet`](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest/submodules/single_gateway_existing_vnet) - Deploys CloudGuard Single Gateway solution into an existing VNet. |
| 39 | + |
| 40 | +* [`single_gateway_new_vnet`](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest/submodules/single_gateway_new_vnet) - Deploys CloudGuard Single Gateway solution into a new VNet. |
| 41 | + |
| 42 | +* [`vmss_existing_vnet`](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest/submodules/vmss_existing_vnet) - Deploys CloudGuard VMSS solution into an existing VNet. |
| 43 | + |
| 44 | +* [`vmss_new_vnet`](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest/submodules/vmss_new_vnet) - Deploys CloudGuard VMSS solution into a new VNet. |
| 45 | + |
| 46 | +Internal Submodules - |
| 47 | + |
| 48 | +* [`common`](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest/submodules/common) - Contains shared configurations and reusable components for all modules. |
| 49 | + |
| 50 | +* [`network_security_group`](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest/submodules/network_security_group) - Manages Network Security Groups (NSGs) with CloudGuard-specific rules. |
| 51 | + |
| 52 | +- [`vnet`](https://registry.terraform.io/modules/CheckPointSW/cloudguard-network-security/azure/latest/submodules/vnet) - Simplifies Virtual Network and subnet configurations. |
| 53 | + |
| 54 | + |
| 55 | +## Security Rules Default Configuration |
| 56 | +Some modules in this repository include default security rules configured for "allow all inbound traffic." These rules are provided for ease of deployment but are not intended for production use without further customization. Add security rule to override the default "allow all traffic" configuration. |
| 57 | + |
| 58 | +**Example:** To restrict inbound traffic, update the security_rules attribute in the submodule configuration: |
| 59 | +```hcl |
| 60 | +security_rules = [ |
| 61 | + { |
| 62 | + name = "AllowSSH" |
| 63 | + priority = "100" |
| 64 | + direction = "Inbound" |
| 65 | + access = "Allow" |
| 66 | + protocol = "Tcp" |
| 67 | + source_port_ranges = "*" |
| 68 | + destination_port_ranges = "22" |
| 69 | + description = "Allow SSH inbound connections" |
| 70 | + source_address_prefix = "10.0.0.0/8" |
| 71 | + destination_address_prefix = "*" |
| 72 | + } |
| 73 | +] |
| 74 | +``` |
| 75 | + |
| 76 | +**Check Point Recommendation:** Always follow the principle of least privilege when configuring security rules to reduce exposure to threats. |
| 77 | + |
| 78 | +*** |
| 79 | + |
| 80 | +# Best Practices for Using CloudGuard Modules |
| 81 | + |
| 82 | +## Step 1: Use the Required Module |
| 83 | +Add the required module in your Terraform configuration file (`main.tf`) to deploy resources. For example: |
| 84 | + |
| 85 | +```hcl |
| 86 | +provider "azurerm" { |
| 87 | + features {} |
| 88 | +} |
| 89 | +
|
| 90 | +module "example_module" { |
| 91 | + source = "CheckPointSW/cloudguard-network-security/azure//modules/{module_name}" |
| 92 | + version = "{chosen_version}" |
| 93 | + # Add the required inputs |
| 94 | +} |
| 95 | +``` |
| 96 | +--- |
| 97 | + |
| 98 | +## Step 2: Open the Terminal |
| 99 | +Ensure you have [Azure CLI installed](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) and navigate to the directory where your `main.tf` file is located, using the appropriate terminal: |
| 100 | + |
| 101 | +- **Linux/macOS**: **Terminal**. |
| 102 | +- **Windows**: **PowerShell** or **Command Prompt**. |
| 103 | + |
| 104 | +--- |
| 105 | + |
| 106 | +## Step 3: Set Environment Variables and Log in with Azure CLI |
| 107 | +Set the required environment variables and authenticate with Azure using your Service Principal. Then, select the correct subscription. |
| 108 | + |
| 109 | +### Linux/macOS |
| 110 | +```hcl |
| 111 | +export TF_VAR_client_id="{your-client-id}" |
| 112 | +export TF_VAR_client_secret="{your-client-secret}" |
| 113 | +export TF_VAR_subscription_id="{your-subscription-id}" |
| 114 | +export TF_VAR_tenant_id="{your-tenant-id}" |
| 115 | +
|
| 116 | +az login --service-principal -u $TF_VAR_client_id -p $TF_VAR_client_secret --tenant $TF_VAR_tenant_id |
| 117 | +az account set --subscription $TF_VAR_subscription_id |
| 118 | +``` |
| 119 | +### PowerShell (Windows) |
| 120 | +```hcl |
| 121 | +$env:TF_VAR_client_id="{your-client-id}" |
| 122 | +$env:TF_VAR_client_secret="{your-client-secret}" |
| 123 | +$env:TF_VAR_subscription_id="{your-subscription-id}" |
| 124 | +$env:TF_VAR_tenant_id="{your-tenant-id}" |
| 125 | +
|
| 126 | +az login --service-principal -u $env:TF_VAR_client_id -p $env:TF_VAR_client_secret --tenant $env:TF_VAR_tenant_id |
| 127 | +az account set --subscription $env:TF_VAR_subscription_id |
| 128 | +``` |
| 129 | +### Command Prompt (Windows) |
| 130 | +```hcl |
| 131 | +set TF_VAR_client_id="{your-client-id}" |
| 132 | +set TF_VAR_client_secret="{your-client-secret}" |
| 133 | +set TF_VAR_subscription_id="{your-subscription-id}" |
| 134 | +set TF_VAR_tenant_id="{your-tenant-id}" |
| 135 | +
|
| 136 | +az login --service-principal -u %TF_VAR_client_id% -p %TF_VAR_client_secret% --tenant %TF_VAR_tenant_id% |
| 137 | +az account set --subscription %TF_VAR_subscription_id% |
| 138 | +``` |
| 139 | +--- |
| 140 | + |
| 141 | + |
| 142 | +## Step 4: Deploy with Terraform |
| 143 | +Use Terraform commands to deploy resources securely. |
| 144 | + |
| 145 | +### Initialize Terraform |
| 146 | +Prepare the working directory and download required provider plugins: |
| 147 | +```hcl |
| 148 | +terraform init |
| 149 | +``` |
| 150 | + |
| 151 | +### Plan Deployment |
| 152 | +Preview the changes Terraform will make: |
| 153 | +```hcl |
| 154 | +terraform plan |
| 155 | +``` |
| 156 | +### Apply Deployment |
| 157 | +Apply the planned changes and deploy the resources: |
| 158 | +```hcl |
| 159 | +terraform apply |
| 160 | +``` |
0 commit comments