def create_instance_template(context,
name,
nics,
depends_on=None,
gw_version=VERSIONS['R80.20-GW']):
family = '-'.join(['check-point', gw_version, LICENSE])
formatter = common.DefaultFormatter()
instance_template_name = common.AutoName(name, default.TEMPLATE)
instance_template = {
"type": default.TEMPLATE,
"name": instance_template_name,
'metadata': {
'dependsOn': depends_on
},
"properties": {
"project": context.properties['project'],
"properties": {
"canIpForward":
True,
"disks": [{
"autoDelete":
True,
"boot":
True,
"deviceName":
common.set_name_and_truncate(
context.properties['deployment'],
'-{}-boot'.format(name)),
"index":
0,
"initializeParams": {
"diskType":
context.properties['diskType'],
"diskSizeGb":
context.properties['bootDiskSizeGb'],
"sourceImage":
'projects/%s/global/images/%s' %
(PROJECT, images.IMAGES[family])
},
"kind":
'compute#attachedDisk',
"mode":
"READ_WRITE",
"type":
"PERSISTENT"
}],
"machineType":
context.properties['machineType'],
"networkInterfaces":
nics,
'metadata': {
"kind":
'compute#metadata',
'items': [{
'key':
'startup-script',
'value':
formatter.format(startup_script, **context.properties)
}, {
'key': 'serial-port-enable',
'value': 'true'
}]
},
"scheduling": {
"automaticRestart": True,
"onHostMaintenance": "MIGRATE",
"preemptible": False
},
"serviceAccounts": [{
"email":
"default",
"scopes": [
"https://www.googleapis.com/" +
"auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
"https://www.googleapis.com/auth/pubsub",
"https://www.googleapis.com/" +
"auth/service.management.readonly",
"https://www.googleapis.com/auth/servicecontrol",
"https://www.googleapis.com/auth/trace.append"
]
}],
"tags": {
"items": [
'x-chkp-management--{}'.format(
context.properties['managementName']),
'x-chkp-template--{}'.format(
context.properties['AutoProvTemplate']),
'checkpoint-gateway'
]
}
}
}
}
tagItems = instance_template['properties']['properties']['tags']['items']
if context.properties['mgmtNIC'] == 'Ephemeral Public IP (eth0)':
tagItems.append("x-chkp-ip-address--public")
tagItems.append("x-chkp-management-interface--eth0")
elif context.properties['mgmtNIC'] == 'Private IP (eth1)':
tagItems.append("x-chkp-ip-address--private")
tagItems.append("x-chkp-management-interface--eth1")
if context.properties['networkDefinedByRoutes']:
tagItems.append("x-chkp-topology-eth1--internal")
tagItems.append("x-chkp-topology-settings-eth1"
"--network-defined-by-routes")
metadata = instance_template['properties']['properties']['metadata']
if context.properties['instanceSSHKey']:
metadata['items'].append({
'key': 'instanceSSHKey',
'value': context.properties['instanceSSHKey']
})
return instance_template
def generate_config(context):
"""Creates the gateway."""
prop = context.properties
prop['cloudguardVersion'], _, prop['installationType'] = prop[
'installationType'].partition(' ')
prop['templateName'] = TEMPLATE_NAME
prop['templateVersion'] = TEMPLATE_VERSION
prop['allowUploadDownload'] = str(prop['allowUploadDownload']).lower()
if not prop['managementGUIClientNetwork'] and prop['installationType'] in {
'Gateway and Management (Standalone)', 'Management only'
}:
raise Exception('Allowed GUI clients are required when installing '
'a management server')
for k in ['managementGUIClientNetwork']:
prop.setdefault(k, '')
resources = []
outputs = []
network_interfaces = []
external_ifs = []
zone = prop['zone']
deployment = context.env['deployment']
vm_name = set_name_and_truncate(deployment, '-vm')
access_configs = []
if prop['externalIP'] != 'None':
access_config = make_access_config(resources, vm_name, zone,
'Static' == prop['externalIP'])
access_configs.append(access_config)
external_ifs.append(0)
prop['hasInternet'] = 'true'
else:
prop['hasInternet'] = 'false'
network = common.MakeGlobalComputeLink(context, default.NETWORK)
networks = {prop['network']}
network_interface = {
'network': network,
'accessConfigs': access_configs,
}
if default.SUBNETWORK in prop:
network_interface['subnetwork'] = common.MakeSubnetworkComputeLink(
context, default.SUBNETWORK)
network_interfaces.append(network_interface)
for ifnum in range(1, prop['numAdditionalNICs'] + 1):
net = prop.get(ADDITIONAL_NETWORK.format(ifnum))
subnet = prop.get(ADDITIONAL_SUBNET.format(ifnum))
ext_ip = prop.get(ADDITIONAL_EXTERNAL_IP.format(ifnum))
if not net or not subnet:
raise Exception(
'Missing network parameters for interface {}'.format(ifnum))
if net in networks:
raise Exception('Cannot use network "' + net + '" more than once')
networks.add(net)
net = ''.join([
default.COMPUTE_URL_BASE, 'projects/', context.env['project'],
'/global/networks/', net
])
subnet = ''.join([
default.COMPUTE_URL_BASE, 'projects/', context.env['project'],
'/regions/',
common.ZoneToRegion(zone), '/subnetworks/', subnet
])
network_interface = {
'network': net,
'subnetwork': subnet,
}
if 'None' != ext_ip:
external_ifs.append(ifnum)
access_config = make_access_config(resources, vm_name, zone,
'Static' == ext_ip, ifnum + 1)
access_configs = [access_config]
network_interface['accessConfigs'] = access_configs
if not prop.get('hasInternet') or 'false' == prop['hasInternet']:
prop['hasInternet'] = 'true'
network_interfaces.append(network_interface)
for ifnum in range(prop['numAdditionalNICs'] + 1, MAX_NICS):
prop.pop(ADDITIONAL_NETWORK.format(ifnum), None)
prop.pop(ADDITIONAL_SUBNET.format(ifnum), None)
prop.pop(ADDITIONAL_EXTERNAL_IP.format(ifnum), None)
deployment_config = set_name_and_truncate(deployment, '-config')
prop['config_url'] = ('https://runtimeconfig.googleapis.com/v1beta1/' +
'projects/' + context.env['project'] + '/configs/' +
deployment_config)
prop['config_path'] = '/'.join(prop['config_url'].split('/')[-4:])
prop['deployment_config'] = deployment_config
tags = ATTRIBUTES[prop['installationType']]['tags']
uid = set_name_and_truncate(
vm_name, '-' + password.GeneratePassword(8, False).lower())
if prop['installationType'] == 'Gateway only':
prop['cloudguardVersion'] += '-GW'
if not prop.get('sicKey'):
prop['computed_sic_key'] = password.GeneratePassword(12, False)
else:
prop['computed_sic_key'] = prop['sicKey']
else:
prop['computed_sic_key'] = 'N/A'
outputs.append({
'name': 'sicKey',
'value': prop['computed_sic_key'],
}, )
if 'gw' in VERSIONS[prop['cloudguardVersion']]:
license_name = "{}-{}".format(LICENSE, LICENCE_TYPE)
else:
license_name = LICENSE
family = '-'.join(
['check-point', VERSIONS[prop['cloudguardVersion']], license_name])
formatter = common.DefaultFormatter()
gw = {
'type': default.INSTANCE,
'name': vm_name,
'properties': {
'description':
ATTRIBUTES[prop['installationType']]['description'],
'zone':
zone,
'tags': {
'items': tags + [uid],
},
'machineType':
common.MakeLocalComputeLink(context, default.MACHINETYPE),
'canIpForward':
ATTRIBUTES[prop['installationType']]['canIpForward'],
'networkInterfaces':
network_interfaces,
'disks': [{
'autoDelete':
True,
'boot':
True,
'deviceName':
common.AutoName(context.env['name'], default.DISK, 'boot'),
'initializeParams': {
'diskType':
common.MakeLocalComputeLink(context, default.DISKTYPE),
'diskSizeGb':
prop['bootDiskSizeGb'],
'sourceImage':
'projects/%s/global/images/%s' %
(PROJECT, images.IMAGES[family]),
},
'type':
'PERSISTENT',
}],
'metadata': {
'items': [
{
'key': 'startup-script',
'value': formatter.format(startup_script, **prop)
},
]
},
'serviceAccounts': [{
'email':
'default',
'scopes': ['https://www.googleapis.com/auth/monitoring.write'],
}]
}
}
if (prop['externalIP'] != 'None') and ('Manual Configuration' !=
prop['installationType']):
gw['properties']['serviceAccounts'][0]['scopes'].append(
'https://www.googleapis.com/auth/cloudruntimeconfig')
resources.append({
'name': deployment_config,
'type': 'runtimeconfig.v1beta1.config',
'properties': {
'config':
deployment_config,
'description': ('Holds software readiness status '
'for deployment {}').format(deployment),
},
})
resources.append({
'name': set_name_and_truncate(deployment, '-software'),
'type': 'runtimeconfig.v1beta1.waiter',
'metadata': {
'dependsOn': [],
},
'properties': {
'parent': '$(ref.' + deployment_config + '.name)',
'waiter': 'software',
'timeout': '1800s',
'success': {
'cardinality': {
'number': 1,
'path': 'status/success',
},
},
'failure': {
'cardinality': {
'number': 1,
'path': 'status/failure',
},
},
},
})
if 'instanceSSHKey' in prop:
gw['properties']['metadata']['items'].append({
'key':
'instanceSSHKey',
'value':
prop['instanceSSHKey']
})
if prop['generatePassword']:
passwd = password.GeneratePassword(12, False)
gw['properties']['metadata']['items'].append({
'key': 'adminPasswordSourceMetadata',
'value': passwd
})
else:
passwd = ''
resources.append(gw)
netlist = list(networks)
if GATEWAY in tags:
for i in range(len(netlist)):
network = netlist[i]
fw_rule_name_prefix = set_name_and_truncate(
'{}-{}'.format(deployment[:23], network[:18]),
'-allow-all-to-chkp-{}'.format(i + 1))
firewall_rules = create_firewall_rules(prop, network,
fw_rule_name_prefix)
resources.extend(firewall_rules)
elif MANAGEMENT in tags:
for i in range(len(netlist)):
network = netlist[i]
source_ranges = prop['network_tcpSourceRanges']
tcp_enabled = prop['network_enableTcp']
gwNetwork_enabled = prop['network_enableGwNetwork']
gwNetwork_source_range = prop['network_gwNetworkSourceRanges']
if source_ranges and not tcp_enabled:
raise Exception(
'Allowed source IP ranges for TCP traffic are provided '
'but TCP not marked as allowed')
if tcp_enabled and not source_ranges:
raise Exception('Allowed source IP ranges for TCP traffic'
' are required when installing '
'a management server')
if not gwNetwork_enabled and gwNetwork_source_range:
raise Exception('Gateway network source IP are provided but '
'not marked as allowed.')
if gwNetwork_enabled and not gwNetwork_source_range:
raise Exception('Gateway network source IP is required in'
' MGMT deployment.')
ranges_list = source_ranges.split(',')
gw_network_list = gwNetwork_source_range.split(',')
ranges = []
gw_net_ranges = []
for source_range in ranges_list:
ranges.append(source_range.replace(" ", ""))
for gw_net_range in gw_network_list:
gw_net_ranges.append(gw_net_range.replace(" ", ""))
if tcp_enabled:
if gwNetwork_enabled:
resources.append({
'type':
'compute.v1.firewall',
'name':
set_name_and_truncate(
'{}-{}'.format(deployment[:23], network[:18]),
'-gateways-to-management-{}'.format(i + 1)),
'properties': {
'network':
'global/networks/' + network,
'sourceRanges':
list(set(gw_net_ranges + ranges)),
'sourceTags': [GATEWAY],
'targetTags': [uid],
'allowed': [
{
'IPProtocol': 'tcp',
'ports':
['257', '18191', '18210', '18264']
},
],
}
})
resources.append({
'type':
'compute.v1.firewall',
'name':
set_name_and_truncate(
'{}-{}'.format(deployment[:23], network[:18]),
'-allow-gui-clients-{}'.format(i + 1)),
'properties': {
'network':
'global/networks/' + network,
'sourceRanges':
list(set(ranges)),
'targetTags': [uid],
'allowed': [
{
'IPProtocol': 'tcp',
'ports': ['22', '443', '18190', '19009']
},
],
}
})
fw_rule_name_prefix = set_name_and_truncate(
'{}-{}'.format(deployment[:23], network[:18]),
'-allow-all-to-chkp-{}'.format(i + 1))
firewall_rules = create_firewall_rules(prop, network,
fw_rule_name_prefix, True,
uid)
resources.extend(firewall_rules)
outputs += [{
'name': 'deployment',
'value': deployment
}, {
'name': 'project',
'value': context.env['project']
}, {
'name': 'vmName',
'value': vm_name,
}, {
'name': 'vmId',
'value': '$(ref.%s.id)' % vm_name,
}, {
'name': 'vmSelfLink',
'value': '$(ref.%s.selfLink)' % vm_name,
}, {
'name': 'hasMultiExternalIPs',
'value': 0 < len(external_ifs) and external_ifs != [0],
}, {
'name':
'additionalExternalIPs',
'value':
', '.join([('$(ref.{}.networkInterfaces[{}].' +
'accessConfigs[0].natIP)').format(vm_name, ifnum)
for ifnum in external_ifs if ifnum])
}, {
'name': 'vmInternalIP',
'value': '$(ref.%s.networkInterfaces[0].networkIP)' % vm_name,
}, {
'name': 'password',
'value': passwd
}]
return common.MakeResource(resources, outputs)
def make_gw(context, name, zone, nics, passwd=None, depends_on=None):
cg_version = context.properties['ha_version'].split(' ')[0]
family = '-'.join(['check-point', VERSIONS[cg_version], LICENSE])
formatter = common.DefaultFormatter()
gw = {
'type': default.INSTANCE,
'name': name,
'metadata': {
'dependsOn': depends_on
},
'properties': {
'description': 'CloudGuard Highly Available Security Cluster',
'zone': zone,
'tags': {
'items': [GATEWAY],
},
'machineType': common.MakeLocalComputeLink(
context, default.MACHINETYPE, zone),
'canIpForward': True,
'networkInterfaces': nics,
'disks': [{
'autoDelete': True,
'boot': True,
'deviceName': common.set_name_and_truncate(
context.properties['deployment'],
'-{}-boot'.format(name)),
'initializeParams': {
'diskType': common.MakeLocalComputeLink(
context, default.DISKTYPE, zone),
'diskSizeGb': context.properties['bootDiskSizeGb'],
'sourceImage':
'projects/%s/global/images/%s' % (
PROJECT, images.IMAGES[family]),
},
'type': 'PERSISTENT',
}],
'metadata': {
'items': [
{
'key': 'startup-script',
'value': formatter.format(
startup_script, **context.properties)
}
]
},
'serviceAccounts': [{
'email': 'default',
'scopes': [
'https://www.googleapis.com/auth/monitoring.write',
'https://www.googleapis.com/auth/compute',
'https://www.googleapis.com/auth/cloudruntimeconfig'
],
}]
}
}
if context.properties['instanceSSHKey']:
gw['properties']['metadata']['items'].append(
{
'key': 'instanceSSHKey',
'value': context.properties['instanceSSHKey']
}
)
if passwd:
gw['properties']['metadata']['items'].append(
{
'key': 'adminPasswordSourceMetadata',
'value': passwd
}
)
return gw
