Ejemplo n.º 1
0
def generate_config(context):
    """Creates the gateway."""
    prop = context.properties
    prop['cloudguardVersion'], _, prop['installationType'] = prop[
        'installationType'].partition(' ')
    prop['templateName'] = TEMPLATE_NAME
    prop['templateVersion'] = TEMPLATE_VERSION
    prop['allowUploadDownload'] = str(prop['allowUploadDownload']).lower()
    if not prop['managementGUIClientNetwork'] and prop['installationType'] in {
            'Gateway and Management (Standalone)', 'Management only'
    }:
        raise Exception('Allowed GUI clients are required when installing '
                        'a management server')
    for k in ['managementGUIClientNetwork']:
        prop.setdefault(k, '')
    resources = []
    outputs = []
    network_interfaces = []
    external_ifs = []
    zone = prop['zone']
    deployment = context.env['deployment']
    vm_name = set_name_and_truncate(deployment, '-vm')
    access_configs = []
    if prop['externalIP'] != 'None':
        access_config = make_access_config(resources, vm_name, zone,
                                           'Static' == prop['externalIP'])
        access_configs.append(access_config)
        external_ifs.append(0)
        prop['hasInternet'] = 'true'
    else:
        prop['hasInternet'] = 'false'
    network = common.MakeGlobalComputeLink(context, default.NETWORK)
    networks = {prop['network']}
    network_interface = {
        'network': network,
        'accessConfigs': access_configs,
    }
    if default.SUBNETWORK in prop:
        network_interface['subnetwork'] = common.MakeSubnetworkComputeLink(
            context, default.SUBNETWORK)
    network_interfaces.append(network_interface)
    for ifnum in range(1, prop['numAdditionalNICs'] + 1):
        net = prop.get(ADDITIONAL_NETWORK.format(ifnum))
        subnet = prop.get(ADDITIONAL_SUBNET.format(ifnum))
        ext_ip = prop.get(ADDITIONAL_EXTERNAL_IP.format(ifnum))
        if not net or not subnet:
            raise Exception(
                'Missing network parameters for interface {}'.format(ifnum))
        if net in networks:
            raise Exception('Cannot use network "' + net + '" more than once')
        networks.add(net)
        net = ''.join([
            default.COMPUTE_URL_BASE, 'projects/', context.env['project'],
            '/global/networks/', net
        ])
        subnet = ''.join([
            default.COMPUTE_URL_BASE, 'projects/', context.env['project'],
            '/regions/',
            common.ZoneToRegion(zone), '/subnetworks/', subnet
        ])
        network_interface = {
            'network': net,
            'subnetwork': subnet,
        }
        if 'None' != ext_ip:
            external_ifs.append(ifnum)
            access_config = make_access_config(resources, vm_name, zone,
                                               'Static' == ext_ip, ifnum + 1)
            access_configs = [access_config]
            network_interface['accessConfigs'] = access_configs
            if not prop.get('hasInternet') or 'false' == prop['hasInternet']:
                prop['hasInternet'] = 'true'
        network_interfaces.append(network_interface)
    for ifnum in range(prop['numAdditionalNICs'] + 1, MAX_NICS):
        prop.pop(ADDITIONAL_NETWORK.format(ifnum), None)
        prop.pop(ADDITIONAL_SUBNET.format(ifnum), None)
        prop.pop(ADDITIONAL_EXTERNAL_IP.format(ifnum), None)
    deployment_config = set_name_and_truncate(deployment, '-config')
    prop['config_url'] = ('https://runtimeconfig.googleapis.com/v1beta1/' +
                          'projects/' + context.env['project'] + '/configs/' +
                          deployment_config)
    prop['config_path'] = '/'.join(prop['config_url'].split('/')[-4:])
    prop['deployment_config'] = deployment_config
    tags = ATTRIBUTES[prop['installationType']]['tags']
    uid = set_name_and_truncate(
        vm_name, '-' + password.GeneratePassword(8, False).lower())
    if prop['installationType'] == 'Gateway only':
        prop['cloudguardVersion'] += '-GW'
        if not prop.get('sicKey'):
            prop['computed_sic_key'] = password.GeneratePassword(12, False)
        else:
            prop['computed_sic_key'] = prop['sicKey']
    else:
        prop['computed_sic_key'] = 'N/A'
    outputs.append({
        'name': 'sicKey',
        'value': prop['computed_sic_key'],
    }, )
    if 'gw' in VERSIONS[prop['cloudguardVersion']]:
        license_name = "{}-{}".format(LICENSE, LICENCE_TYPE)
    else:
        license_name = LICENSE
    family = '-'.join(
        ['check-point', VERSIONS[prop['cloudguardVersion']], license_name])
    formatter = common.DefaultFormatter()
    gw = {
        'type': default.INSTANCE,
        'name': vm_name,
        'properties': {
            'description':
            ATTRIBUTES[prop['installationType']]['description'],
            'zone':
            zone,
            'tags': {
                'items': tags + [uid],
            },
            'machineType':
            common.MakeLocalComputeLink(context, default.MACHINETYPE),
            'canIpForward':
            ATTRIBUTES[prop['installationType']]['canIpForward'],
            'networkInterfaces':
            network_interfaces,
            'disks': [{
                'autoDelete':
                True,
                'boot':
                True,
                'deviceName':
                common.AutoName(context.env['name'], default.DISK, 'boot'),
                'initializeParams': {
                    'diskType':
                    common.MakeLocalComputeLink(context, default.DISKTYPE),
                    'diskSizeGb':
                    prop['bootDiskSizeGb'],
                    'sourceImage':
                    'projects/%s/global/images/%s' %
                    (PROJECT, images.IMAGES[family]),
                },
                'type':
                'PERSISTENT',
            }],
            'metadata': {
                'items': [
                    {
                        'key': 'startup-script',
                        'value': formatter.format(startup_script, **prop)
                    },
                ]
            },
            'serviceAccounts': [{
                'email':
                'default',
                'scopes': ['https://www.googleapis.com/auth/monitoring.write'],
            }]
        }
    }
    if (prop['externalIP'] != 'None') and ('Manual Configuration' !=
                                           prop['installationType']):
        gw['properties']['serviceAccounts'][0]['scopes'].append(
            'https://www.googleapis.com/auth/cloudruntimeconfig')
        resources.append({
            'name': deployment_config,
            'type': 'runtimeconfig.v1beta1.config',
            'properties': {
                'config':
                deployment_config,
                'description': ('Holds software readiness status '
                                'for deployment {}').format(deployment),
            },
        })
        resources.append({
            'name': set_name_and_truncate(deployment, '-software'),
            'type': 'runtimeconfig.v1beta1.waiter',
            'metadata': {
                'dependsOn': [],
            },
            'properties': {
                'parent': '$(ref.' + deployment_config + '.name)',
                'waiter': 'software',
                'timeout': '1800s',
                'success': {
                    'cardinality': {
                        'number': 1,
                        'path': 'status/success',
                    },
                },
                'failure': {
                    'cardinality': {
                        'number': 1,
                        'path': 'status/failure',
                    },
                },
            },
        })
    if 'instanceSSHKey' in prop:
        gw['properties']['metadata']['items'].append({
            'key':
            'instanceSSHKey',
            'value':
            prop['instanceSSHKey']
        })
    if prop['generatePassword']:
        passwd = password.GeneratePassword(12, False)
        gw['properties']['metadata']['items'].append({
            'key': 'adminPasswordSourceMetadata',
            'value': passwd
        })
    else:
        passwd = ''
    resources.append(gw)
    netlist = list(networks)
    if GATEWAY in tags:
        for i in range(len(netlist)):
            network = netlist[i]
            fw_rule_name_prefix = set_name_and_truncate(
                '{}-{}'.format(deployment[:23], network[:18]),
                '-allow-all-to-chkp-{}'.format(i + 1))
            firewall_rules = create_firewall_rules(prop, network,
                                                   fw_rule_name_prefix)
            resources.extend(firewall_rules)
    elif MANAGEMENT in tags:
        for i in range(len(netlist)):
            network = netlist[i]
            source_ranges = prop['network_tcpSourceRanges']
            tcp_enabled = prop['network_enableTcp']
            gwNetwork_enabled = prop['network_enableGwNetwork']
            gwNetwork_source_range = prop['network_gwNetworkSourceRanges']
            if source_ranges and not tcp_enabled:
                raise Exception(
                    'Allowed source IP ranges for TCP traffic are provided '
                    'but TCP not marked as allowed')
            if tcp_enabled and not source_ranges:
                raise Exception('Allowed source IP ranges for TCP traffic'
                                ' are required when installing '
                                'a management server')
            if not gwNetwork_enabled and gwNetwork_source_range:
                raise Exception('Gateway network source IP are provided but '
                                'not marked as allowed.')
            if gwNetwork_enabled and not gwNetwork_source_range:
                raise Exception('Gateway network source IP is required in'
                                ' MGMT deployment.')
            ranges_list = source_ranges.split(',')
            gw_network_list = gwNetwork_source_range.split(',')
            ranges = []
            gw_net_ranges = []
            for source_range in ranges_list:
                ranges.append(source_range.replace(" ", ""))
            for gw_net_range in gw_network_list:
                gw_net_ranges.append(gw_net_range.replace(" ", ""))
            if tcp_enabled:
                if gwNetwork_enabled:
                    resources.append({
                        'type':
                        'compute.v1.firewall',
                        'name':
                        set_name_and_truncate(
                            '{}-{}'.format(deployment[:23], network[:18]),
                            '-gateways-to-management-{}'.format(i + 1)),
                        'properties': {
                            'network':
                            'global/networks/' + network,
                            'sourceRanges':
                            list(set(gw_net_ranges + ranges)),
                            'sourceTags': [GATEWAY],
                            'targetTags': [uid],
                            'allowed': [
                                {
                                    'IPProtocol': 'tcp',
                                    'ports':
                                    ['257', '18191', '18210', '18264']
                                },
                            ],
                        }
                    })
                resources.append({
                    'type':
                    'compute.v1.firewall',
                    'name':
                    set_name_and_truncate(
                        '{}-{}'.format(deployment[:23], network[:18]),
                        '-allow-gui-clients-{}'.format(i + 1)),
                    'properties': {
                        'network':
                        'global/networks/' + network,
                        'sourceRanges':
                        list(set(ranges)),
                        'targetTags': [uid],
                        'allowed': [
                            {
                                'IPProtocol': 'tcp',
                                'ports': ['22', '443', '18190', '19009']
                            },
                        ],
                    }
                })
            fw_rule_name_prefix = set_name_and_truncate(
                '{}-{}'.format(deployment[:23], network[:18]),
                '-allow-all-to-chkp-{}'.format(i + 1))
            firewall_rules = create_firewall_rules(prop, network,
                                                   fw_rule_name_prefix, True,
                                                   uid)
            resources.extend(firewall_rules)
    outputs += [{
        'name': 'deployment',
        'value': deployment
    }, {
        'name': 'project',
        'value': context.env['project']
    }, {
        'name': 'vmName',
        'value': vm_name,
    }, {
        'name': 'vmId',
        'value': '$(ref.%s.id)' % vm_name,
    }, {
        'name': 'vmSelfLink',
        'value': '$(ref.%s.selfLink)' % vm_name,
    }, {
        'name': 'hasMultiExternalIPs',
        'value': 0 < len(external_ifs) and external_ifs != [0],
    }, {
        'name':
        'additionalExternalIPs',
        'value':
        ', '.join([('$(ref.{}.networkInterfaces[{}].' +
                    'accessConfigs[0].natIP)').format(vm_name, ifnum)
                   for ifnum in external_ifs if ifnum])
    }, {
        'name': 'vmInternalIP',
        'value': '$(ref.%s.networkInterfaces[0].networkIP)' % vm_name,
    }, {
        'name': 'password',
        'value': passwd
    }]
    return common.MakeResource(resources, outputs)
Ejemplo n.º 2
0
def GenerateConfig(context):
  """Generates YAML resource configuration."""
  resource_list = GenerateResourceList(context)
  output_list = GenerateOutputList(context, resource_list)
  return common.MakeResource(resource_list, output_list)
def GenerateConfig(context):
    """Generates YAML resource configuration."""
    return common.MakeResource(GenerateResourceList(context))
Ejemplo n.º 4
0
def generate_config(context):
    # This method will:
    # 1. Create a instance template for a security GW
    # (with a tag for the managing security server)
    # 2. Create a managed instance group
    # (based on the instance template and zones list provided by the user)
    # 3. Configure autoscaling
    # (based on min, max & policy settings provided by the user)
    prop = context.properties
    prop['deployment'] = context.env['deployment']
    prop['project'] = context.env['project']
    prop['templateName'] = TEMPLATE_NAME
    prop['templateVersion'] = TEMPLATE_VERSION
    prop['allowUploadDownload'] = str(prop['allowUploadDownload']).lower()
    prop['hasInternet'] = 'true'  # via Google Private Access
    prop['installationType'] = 'AutoScale'
    prop['resources'] = []
    prop['outputs'] = []
    prop['gw_dependencies'] = []
    prop['computed_sic_key'] = password.GeneratePassword(12, False)
    prop['gatewayExternalIP'] = (
        prop['mgmtNIC'] == 'Ephemeral Public IP (eth0)')

    version_chosen = prop['autoscalingVersion'].split(' ')[0] + "-GW"
    nics = create_nics(context)
    gw_template = create_instance_template(context,
                                           prop['deployment'],
                                           nics,
                                           depends_on=prop['gw_dependencies'],
                                           gw_version=VERSIONS[version_chosen])
    prop['resources'] += [gw_template]
    prop['igm_dependencies'] = [gw_template['name']]
    igm = GenerateAutscaledGroup(context, prop['deployment'],
                                 gw_template['name'], prop['igm_dependencies'])
    prop['resources'] += [igm]

    prop['autoscaler_dependencies'] = [igm['name']]
    cpu_usage = prop.get("cpuUsage")
    autoscaler = CreateAutscaler(context, prop['deployment'], igm['name'],
                                 cpu_usage, prop['autoscaler_dependencies'])
    prop['resources'] += [autoscaler]

    prop['outputs'] += [
        {
            'name': 'deployment',
            'value': prop['deployment']
        },
        {
            'name': 'project',
            'value': prop['project']
        },
        {
            'name': 'instanceTemplateName',
            'value': gw_template['name']
        },
        {
            'name': 'InstanceTemplateLink',
            'value': common.Ref(gw_template['name'])
        },
        {
            'name': 'IGMname',
            'value': igm['name']
        },
        {
            'name': 'IGMLink',
            'value': common.RefGroup(igm['name'])
        },
        {
            'name': 'cpuUsagePercentage',
            'value': str(int(prop['cpuUsage'])) + '%'
        },
        {
            'name': 'minInstancesInt',
            'value': str(int(prop['minInstances']))
        },
        {
            'name': 'maxInstancesInt',
            'value': str(int(prop['maxInstances']))
        },
    ]

    return common.MakeResource(prop['resources'], prop['outputs'])
def generate_config(context):
    prop = context.properties

    validate_same_region(prop['zoneA'], prop['zoneB'])

    prop['deployment'] = context.env['deployment']
    prop['project'] = context.env['project']
    prop['region'] = common.ZoneToRegion(prop['zoneA'])
    prop['templateName'] = TEMPLATE_NAME
    prop['templateVersion'] = TEMPLATE_VERSION
    prop['allowUploadDownload'] = str(prop['allowUploadDownload']).lower()
    prop['hasInternet'] = 'true'  # via Google Private Access
    prop['installationType'] = 'Cluster'

    resources = []
    outputs = []
    gw_dependencies = []
    member_a_nics = []

    add_readiness_waiter(prop, resources)

    cluster_net_name, cluster_subnet_name = get_or_create_net(
        prop, CLUSTER_NET_FIELD, resources, gw_dependencies, True, True)
    member_a_nics.append(make_nic(prop, cluster_net_name, cluster_subnet_name))

    mgmt_net_name, mgmt_subnet_name = get_or_create_net(
        prop, MGMT_NET_FIELD, resources, gw_dependencies, False, True)
    member_a_nics.append(make_nic(prop, mgmt_net_name, mgmt_subnet_name))

    for ifnum in range(1, prop['numInternalNetworks'] + 1):
        int_net_name, int_subnet_name = get_or_create_net(
            prop, INTERNAL_NET_FIELD.format(ifnum), resources,
            gw_dependencies)
        member_a_nics.append(make_nic(prop, int_net_name, int_subnet_name))

    member_b_nics = copy.deepcopy(member_a_nics)

    create_external_addresses(prop, resources, member_a_nics, member_b_nics)

    member_a_name = common.set_name_and_truncate(
        prop['deployment'], '-member-a')
    member_b_name = common.set_name_and_truncate(
        prop['deployment'], '-member-b')

    if prop['generatePassword']:
        passwd = password.GeneratePassword(12, False)
    else:
        passwd = ''

    member_a = make_gw(context, member_a_name, prop['zoneA'],
                       member_a_nics, passwd, gw_dependencies)
    member_b = make_gw(context, member_b_name, prop['zoneB'],
                       member_b_nics, passwd, gw_dependencies)

    resources += [member_a, member_b]

    outputs += [
        {
            'name': 'deployment',
            'value': prop['deployment']
        },
        {
            'name': 'project',
            'value': prop['project']
        },
        {
            'name': 'clusterIP',
            'value': '$(ref.{}.address)'.format(
                prop['primary_cluster_address_name'])
        },
        {
            'name': 'vmAName',
            'value': member_a_name,
        },
        {
            'name': 'vmAExternalIP',
            'value': '$(ref.{}.address)'.format(prop['member_a_address_name'])
        },
        {
            'name': 'vmASelfLink',
            'value': '$(ref.{}.selfLink)'.format(member_a_name),
        },
        {
            'name': 'vmBName',
            'value': member_b_name,
        },
        {
            'name': 'vmBExternalIP',
            'value': '$(ref.{}.address)'.format(prop['member_b_address_name'])
        },
        {
            'name': 'vmBSelfLink',
            'value': '$(ref.{}.selfLink)'.format(member_b_name),
        },
        {
            'name': 'password',
            'value': passwd
        }
    ]

    return common.MakeResource(resources, outputs)