feat(VSECPC-10745): Initial commit of GCP Terraform module with NSI d…

…eployment

README.md

@@ -0,0 +1,155 @@
+![GitHub Wachers](https://img.shields.io/github/watchers/CheckPointSW/terraform-azure-cloudguard-network-security)
+![GitHub Release](https://img.shields.io/github/v/release/CheckPointSW/terraform-azure-cloudguard-network-security)
+![GitHub Commits Since Last Commit](https://img.shields.io/github/commits-since/CheckPointSW/terraform-azure-cloudguard-network-security/latest/master)
+![GitHub Last Commit](https://img.shields.io/github/last-commit/CheckPointSW/terraform-azure-cloudguard-network-security/master)
+![GitHub Repo Size](https://img.shields.io/github/repo-size/CheckPointSW/terraform-azure-cloudguard-network-security)
+![GitHub Downloads](https://img.shields.io/github/downloads/CheckPointSW/terraform-azure-cloudguard-network-security/total)
+
+# Terraform Modules for CloudGuard Network Security (CGNS) - GCP
+
+
+## Introduction
+This repository provides a structured set of Terraform modules for deploying Check Point CloudGuard Network Security in GCP. These modules automate the creation of Virtual Networks, Security Gateways, High-Availability architectures, and more, enabling secure and scalable cloud deployments.
+
+
+## Before you begin
+1. Create a project in the [Google Cloud Console](https://console.cloud.google.com/) and set up billing on that project.
+2. [Install Terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) and read the Terraform getting started guide that follows. This guide will assume basic proficiency with Terraform - it is an introduction to the Google provider.
+
+### Configuring the Provider
+The **main.tf** file includes the following provider configuration block used to configure the credentials you use to authenticate with GCP, as well as a default project and location for your resources:
+```
+provider "google" {
+  credentials = file(var.service_account_path)
+  project     = var.project
+  region      = var.region
+}
+...
+```
+
+1. [Create a Service Account](https://cloud.google.com/docs/authentication/getting-started) (or use the existing one). Next, download the JSON key file. Name it something you can remember and store it somewhere secure on your machine. <br/>
+2. Select "Editor" Role or verify you have the following permissions:
+   ```
+   compute.autoscalers.create
+   compute.autoscalers.delete
+   compute.autoscalers.get
+   compute.autoscalers.update
+   compute.disks.create
+   compute.firewalls.create
+   compute.firewalls.delete
+   compute.firewalls.get
+   compute.firewalls.update
+   compute.instanceGroupManagers.create
+   compute.instanceGroupManagers.delete
+   compute.instanceGroupManagers.get
+   compute.instanceGroupManagers.use
+   compute.instanceGroups.delete
+   compute.instanceTemplates.create
+   compute.instanceTemplates.delete
+   compute.instanceTemplates.get
+   compute.instanceTemplates.useReadOnly
+   compute.instances.create
+   compute.instances.setMetadata
+   compute.instances.setTags
+   compute.networks.get
+   compute.networks.updatePolicy
+   compute.regions.list
+   compute.subnetworks.get
+   compute.subnetworks.use
+   compute.subnetworks.useExternalIp
+   iam.serviceAccounts.actAs
+   ```
+3. ```credentials``` - Your service account key file is used to complete a two-legged OAuth 2.0 flow to obtain access tokens to authenticate with the GCP API as needed; Terraform will use it to reauthenticate automatically when tokens expire. <br/> 
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://www.terraform.io/docs/providers/google/guides/provider_reference.html#credentials-1).
+    - Static credentials can be provided by adding the path to your service-account json file, project-id and region in /gcp/modules/autoscale-into-new-vpc/**terraform.tfvars** file as follows:
+        ```
+        service_account_path = "service-accounts/service-account-file-name.json"
+        project = "project-id"
+        region = "us-central1"
+        ```
+     - In case the Environment Variables are used, perform modifications described below:<br/>
+        a. The next lines in the main.tf file, in the provider google resource, need to be deleted or commented:
+        ```
+        provider "google" {
+          //  credentials = file(var.service_account_path)
+          //  project = var.project
+
+          region = var.region
+        }
+       ```
+       b.In the terraform.tfvars file leave empty double quotes for credentials and project variables:
+       ```
+       service_account_path = ""
+       project = ""
+       ```
+## Usage
+- Fill all variables in the /gcp/autoscale-into-existing-vpc/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+    ```
+    terraform init
+    ```
+- Create an execution plan:
+    ```
+    terraform plan
+    ```
+- Create or modify the deployment:
+    ```
+    terraform apply
+    ```
+
+## Repository Structure
+`Submodules:` Contains modular, reusable, production-grade Terraform components, each with its own documentation.
+
+`Examples:` Demonstrates how to use the modules.
+
+
+**Submodules:**
+* [`network-security-integration`](https://registry.terraform.io/modules/chkp-olgami/olgami/gcp/latest/submodules/network-security-integration) - Deploys GCP Network Security Integration.
+
+Internal Submodules - 
+
+* [`firewall-rule`](https://registry.terraform.io/modules/chkp-olgami/olgami/gcp/latest/submodules/firewall-rule) - Deploys firewall rules on GCP VPCs.
+* [`internal-load-balancer`](https://registry.terraform.io/modules/chkp-olgami/olgami/gcp/latest/submodules/internal-load-balancer) - Deploys internal load balanncer.
+* [`network-and-subnet`](https://registry.terraform.io/modules/chkp-olgami/olgami/gcp/latest/submodules/network-and-subnet) - Deploys VPC and subnetwork in the VPC.
+* [`network-security-integration-common`](https://registry.terraform.io/modules/chkp-olgami/olgami/gcp/latest/submodules/network-security-integration-common) - Deploys Network Security Integration.
+
+
+***
+
+# Best Practices for Using CloudGuard Modules
+
+## Step 1: Use the Required Module
+Add the required module in your Terraform configuration file (`main.tf`) to deploy resources. For example:
+
+```hcl
+provider "google" {
+  features {}
+}
+
+module "example_module" {
+  source  = "CheckPointSW/cloudguard-network-security/gcp//modules/{module_name}"
+  version = "{chosen_version}"
+  # Add the required inputs
+}
+```
+---
+
+## Step 2: Deploy with Terraform
+Use Terraform commands to deploy resources securely.
+
+### Initialize Terraform
+Prepare the working directory and download required provider plugins:
+```hcl
+terraform init
+```
+
+### Plan Deployment
+Preview the changes Terraform will make:
+```hcl
+terraform plan
+```
+### Apply Deployment
+Apply the planned changes and deploy the resources:
+```hcl
+terraform apply
+```

modules/common/common/main.tf

@@ -0,0 +1,2 @@
+
+

modules/common/common/variables.tf

@@ -0,0 +1,79 @@
+variable "installation_type" {
+  type = string
+  description = "Installation type"
+  default = "Gateway only"
+}
+variable "os_version" {
+  type = string
+  description = "GAIA OS version"
+  default = "R8120"
+  validation {
+    condition = contains(["R8110", "R8120" , "R82"], var.os_version)
+    error_message = "Allowed values for os_version are 'R8110' , 'R8120', 'R82'"
+  }
+}
+variable "image_name" {
+  type = string
+  description = "The single gateway and management image name"
+}
+locals {
+  regex_validate_mgmt_image_name = "^check-point-${lower(var.os_version)}-[^(gw)].*[0-9]{3}-([0-9]{3,}|[a-z]+)-v[0-9]{8,}.*"
+  regex_validate_gw_image_name = "^check-point-${lower(var.os_version)}-gw-.*[0-9]{3}-([0-9]{3,}|[a-z]+)-v[0-9]{8,}.*"
+  regex_validate_image_name = contains(["Gateway only", "Cluster", "AutoScale", "Network Security Integration"], var.installation_type) ? local.regex_validate_gw_image_name : local.regex_validate_mgmt_image_name
+  regex_image_name = length(regexall(local.regex_validate_image_name, var.image_name)) > 0 ? 0 : "Variable [image_name] must be a valid Check Point image name of the correct version."
+  index_image_name = index(["0"], local.regex_image_name)
+}
+variable "license" {
+  type = string
+  description = "Checkpoint license (BYOL)."
+  default = "BYOL"
+}
+locals {
+    license_allowed_values = [
+    "BYOL"]
+  // will fail if [var.license] is invalid:
+  validate_license = index(local.license_allowed_values, upper(var.license))
+}
+variable "admin_SSH_key" {
+  type = string
+  description = "(Optional) The SSH public key for SSH authentication to the template instances. Leave this field blank to use all project-wide pre-configured SSH keys."
+  default = ""
+}
+locals {
+  regex_valid_admin_SSH_key = "^(^$|ssh-rsa AAAA[0-9A-Za-z+/]+[=]{0,3})"
+  // Will fail if var.admin_SSH_key is invalid
+  regex_admin_SSH_key = length(regexall(local.regex_valid_admin_SSH_key, var.admin_SSH_key)) > 0 ? 0 : "Please enter a valid SSH public key or leave empty"
+  index_admin_SSH_key = index(["0"], local.regex_admin_SSH_key)
+}
+variable "admin_shell" {
+  type = string
+  description = "Change the admin shell to enable advanced command line configuration."
+  default = "/etc/cli.sh"
+}
+locals {
+    admin_shell_allowed_values = [
+    "/etc/cli.sh",
+    "/bin/bash",
+    "/bin/csh",
+    "/bin/tcsh"]
+  // Will fail if var.admin_shell is invalid
+  validate_admin_shell = index(local.admin_shell_allowed_values, var.admin_shell)
+}
+variable "externalIP" {
+  type = string
+  description = "External IP address type"
+  default = "static"
+  validation {
+    condition = contains(["static", "ephemeral", "none"], var.externalIP)
+    error_message = "Invalid value for externalIP. Allowed values are 'static', 'ephemeral' or 'none'."
+  }
+}
+locals {
+  external_ip_allowed_values = [
+    "static",
+    "ephemeral",
+    "none"
+  ]
+  validate_external_ip = index(local.external_ip_allowed_values, var.externalIP)
+}
+

modules/common/firewall-rule/main.tf

@@ -0,0 +1,10 @@
+resource "google_compute_firewall" "firewall_rules" {
+  name = var.rule_name
+  network = var.network[0]
+  allow {
+    protocol = var.protocol
+    ports = var.ports
+  }
+  source_ranges = var.source_ranges
+  target_tags = var.target_tags
+}

modules/common/firewall-rule/output.tf

@@ -0,0 +1,3 @@
+output "firewall_rule_name" {
+  value = google_compute_firewall.firewall_rules.name
+}

modules/common/firewall-rule/variables.tf

@@ -0,0 +1,28 @@
+variable "protocol" {
+  type = string
+  description = "The IP protocol to which this rule applies."
+}
+variable "source_ranges" {
+  type = list(string)
+  description = "(Optional) Source IP ranges for the protocol traffic - Traffic is only allowed from sources within these IP address ranges. Use CIDR notation when entering ranges. For gateway only. Please leave empty list to unable this protocol traffic."
+  default = []
+}
+variable "rule_name" {
+  type = string
+  description = "Firewall rule name."
+}
+variable "network" {
+  type = list(string)
+  description = "The name or self_link of the network to attach this firewall to."
+}
+variable "target_tags" {
+  description = "List of target tags for the firewall rule"
+  type = list(string)
+  default = ["checkpoint-gateway"]
+}
+variable "ports" {
+  description = "List of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. "
+  type = list(number)
+  default = []
+
+}

modules/common/internal-load-balancer/main.tf

@@ -0,0 +1,33 @@
+resource "google_compute_health_check" "health_check" {
+  name               = "${var.prefix}-health-check"
+  project            = var.project
+  tcp_health_check {
+    port = 8117
+  }
+}
+
+resource "google_compute_region_backend_service" "backend_service" {
+  name                  = "${var.prefix}-internal-backend-service"
+  project               = var.project
+  protocol              = var.protocol
+  health_checks         = [google_compute_health_check.health_check.id]
+  region                = var.region
+  network               = var.network
+  connection_draining_timeout_sec = var.connection_draining_timeout
+  backend  {
+    group = var.instance_group
+  }
+}
+
+resource "google_compute_forwarding_rule" "forwarding_rule" {
+  for_each              = toset(var.intercept_deployment_zones)
+  name                  = "${var.prefix}-forwarding-rule-${each.key}"
+  project               = var.project
+  region                = var.region
+  load_balancing_scheme = "INTERNAL"
+  ip_version            = "IPV4"
+  ip_protocol           = var.ip_protocol
+  ports                 = var.ports
+  subnetwork            = var.subnetwork
+  backend_service       = google_compute_region_backend_service.backend_service.self_link
+}

modules/common/internal-load-balancer/output.tf

@@ -0,0 +1,3 @@
+output "forwarding_rule" {
+  value = { for key, rule in google_compute_forwarding_rule.forwarding_rule : key => rule.self_link }
+}

modules/common/internal-load-balancer/variables.tf

@@ -0,0 +1,62 @@
+variable "project" {
+  type        = string
+  description = "Personal project id. The project indicates the default GCP project all of your resources will be created in."
+  default     = "chkp-tf-project"
+}
+
+variable "prefix" {
+  type        = string
+  description = "Resources name prefix"
+  default     = "chkp-tf-nsi"
+}
+
+variable "network" {
+  type        = string
+  description = "The name or self_link of the network"
+}
+
+variable "subnetwork" {
+  type        = string
+  description = "The name or self_link of the subnetwork"
+}
+
+variable "region" {
+  type    = string
+  default = "us-central1"
+}
+
+variable "ip_protocol" {
+  description = "The IP protocol to which this rule applies. For protocol forwarding, valid options are TCP, UDP, ESP, AH, SCTP, ICMP and L3_DEFAULT."
+  default     = "TCP"
+  type        = string
+}
+
+variable "ports" {
+  description = "Which port numbers are forwarded to the backends"
+  default     = []
+  type        = list(number)
+}
+
+variable "protocol" {
+  description = "The protocol used by the backend service. Valid values are HTTP, HTTPS, HTTP2, SSL, TCP, UDP, GRPC, UNSPECIFIED"
+  default     = "TCP"
+  type        = string
+
+}
+
+variable "instance_group" {
+  description = "The name or self_link of the instance group"
+  type        = string
+}
+
+variable "intercept_deployment_zones" {
+  type = list(string)
+  description = "The list of zones for which a network security intercept deployment will be deployed. The zones must be in the same region as the deployment."
+  default = ["us-central1-a"]
+}
+
+variable "connection_draining_timeout" {
+    type = number
+    description = "The time, in seconds, that the load balancer waits for active connections to complete before fully removing an instance from the backend group. The default value is 300 seconds."
+    default = 300
+}