def validate_region(test_zone, valid_region):
test_region = common.ZoneToRegion(test_zone)
if test_region != valid_region:
err_msg = '{} is in region {}. All subnets must be ' + \
'in the same region ({})'
raise common.Error(err_msg.format(test_zone, test_region,
valid_region))
def CreateAutscaler(context, name, igm, cpu_usage, depends_on=None):
prop = context.properties
autoscaler_name = common.AutoName(name, default.AUTOSCALER)
depends_on = depends_on
cpu_usage = float(cpu_usage) / 100
resource = {
'name': autoscaler_name,
'metadata': {
'dependsOn': depends_on
},
'type': default.REGION_AUTOSCALER,
'properties': {
'target': '$(ref.' + igm + '.selfLink)',
'region': common.ZoneToRegion(prop.get("externalZone")),
'autoscalingPolicy': {
'minNumReplicas': int(prop.get("minInstances")),
'maxNumReplicas': int(prop.get("maxInstances")),
'cpuUtilization': {
'utilizationTarget': cpu_usage
},
'coolDownPeriodSec': 90
}
}
}
return resource
def MakeStaticAddress(vm_name, zone):
"""Creates a static IP address resource; returns it and the natIP."""
address_name = vm_name + '-address'
address_resource = {
'name': address_name,
'type': default.ADDRESS,
'properties': {
'name': address_name,
'region': common.ZoneToRegion(zone),
},
}
return (address_resource, '$(ref.%s.address)' % address_name)
def MakeStaticAddress(vm_name, zone, ifnum=None):
"""Creates a static IP address resource; returns it and the natIP."""
if ifnum:
address_name = set_name_and_truncate(vm_name,
'-address-{}'.format(ifnum))
else:
address_name = set_name_and_truncate(vm_name, '-address')
address_resource = {
'name': address_name,
'type': default.ADDRESS,
'properties': {
'name': address_name,
'region': common.ZoneToRegion(zone),
},
}
return address_resource, '$(ref.%s.address)' % address_name
def GenerateAutscaledGroup(context, name, instance_template, depends_on=None):
prop = context.properties
igm_name = common.AutoName(name, default.IGM)
depends_on = depends_on
resource = {
'name': igm_name,
'metadata': {
'dependsOn': depends_on
},
'type': default.REGION_IGM,
'properties': {
'region': common.ZoneToRegion(prop.get("externalZone")),
'baseInstanceName': name,
'instanceTemplate': '$(ref.' + instance_template + '.selfLink)',
'targetSize': prop.get("minInstances"),
# 'autoHealingPolicies': [{
# 'initialDelaySec': 60
# }]
}
}
return resource
def create_nics(context):
prop = context.properties
base_region = common.ZoneToRegion(prop['externalZone'])
firewall_rules = create_firewall_rules(context)
if firewall_rules:
prop['resources'].extend(firewall_rules)
validate_region(prop['internalZone'], base_region)
validate_networks(prop['externalNetwork'], prop['internalNetwork'])
nics = []
nics.append(
make_nic(prop, prop['externalNetwork'], prop['externalZone'],
prop['externalSubnet'], prop['gatewayExternalIP']))
nics.append(
make_nic(prop,
prop['internalNetwork'],
prop['internalZone'],
prop['internalSubnet'],
externalIP=False))
return nics
def generate_config(context):
"""Creates the gateway."""
prop = context.properties
prop['cloudguardVersion'], _, prop['installationType'] = prop[
'installationType'].partition(' ')
prop['templateName'] = TEMPLATE_NAME
prop['templateVersion'] = TEMPLATE_VERSION
prop['allowUploadDownload'] = str(prop['allowUploadDownload']).lower()
if not prop['managementGUIClientNetwork'] and prop['installationType'] in {
'Gateway and Management (Standalone)', 'Management only'
}:
raise Exception('Allowed GUI clients are required when installing '
'a management server')
for k in ['managementGUIClientNetwork']:
prop.setdefault(k, '')
resources = []
outputs = []
network_interfaces = []
external_ifs = []
zone = prop['zone']
deployment = context.env['deployment']
vm_name = set_name_and_truncate(deployment, '-vm')
access_configs = []
if prop['externalIP'] != 'None':
access_config = make_access_config(resources, vm_name, zone,
'Static' == prop['externalIP'])
access_configs.append(access_config)
external_ifs.append(0)
prop['hasInternet'] = 'true'
else:
prop['hasInternet'] = 'false'
network = common.MakeGlobalComputeLink(context, default.NETWORK)
networks = {prop['network']}
network_interface = {
'network': network,
'accessConfigs': access_configs,
}
if default.SUBNETWORK in prop:
network_interface['subnetwork'] = common.MakeSubnetworkComputeLink(
context, default.SUBNETWORK)
network_interfaces.append(network_interface)
for ifnum in range(1, prop['numAdditionalNICs'] + 1):
net = prop.get(ADDITIONAL_NETWORK.format(ifnum))
subnet = prop.get(ADDITIONAL_SUBNET.format(ifnum))
ext_ip = prop.get(ADDITIONAL_EXTERNAL_IP.format(ifnum))
if not net or not subnet:
raise Exception(
'Missing network parameters for interface {}'.format(ifnum))
if net in networks:
raise Exception('Cannot use network "' + net + '" more than once')
networks.add(net)
net = ''.join([
default.COMPUTE_URL_BASE, 'projects/', context.env['project'],
'/global/networks/', net
])
subnet = ''.join([
default.COMPUTE_URL_BASE, 'projects/', context.env['project'],
'/regions/',
common.ZoneToRegion(zone), '/subnetworks/', subnet
])
network_interface = {
'network': net,
'subnetwork': subnet,
}
if 'None' != ext_ip:
external_ifs.append(ifnum)
access_config = make_access_config(resources, vm_name, zone,
'Static' == ext_ip, ifnum + 1)
access_configs = [access_config]
network_interface['accessConfigs'] = access_configs
if not prop.get('hasInternet') or 'false' == prop['hasInternet']:
prop['hasInternet'] = 'true'
network_interfaces.append(network_interface)
for ifnum in range(prop['numAdditionalNICs'] + 1, MAX_NICS):
prop.pop(ADDITIONAL_NETWORK.format(ifnum), None)
prop.pop(ADDITIONAL_SUBNET.format(ifnum), None)
prop.pop(ADDITIONAL_EXTERNAL_IP.format(ifnum), None)
deployment_config = set_name_and_truncate(deployment, '-config')
prop['config_url'] = ('https://runtimeconfig.googleapis.com/v1beta1/' +
'projects/' + context.env['project'] + '/configs/' +
deployment_config)
prop['config_path'] = '/'.join(prop['config_url'].split('/')[-4:])
prop['deployment_config'] = deployment_config
tags = ATTRIBUTES[prop['installationType']]['tags']
uid = set_name_and_truncate(
vm_name, '-' + password.GeneratePassword(8, False).lower())
if prop['installationType'] == 'Gateway only':
prop['cloudguardVersion'] += '-GW'
if not prop.get('sicKey'):
prop['computed_sic_key'] = password.GeneratePassword(12, False)
else:
prop['computed_sic_key'] = prop['sicKey']
else:
prop['computed_sic_key'] = 'N/A'
outputs.append({
'name': 'sicKey',
'value': prop['computed_sic_key'],
}, )
if 'gw' in VERSIONS[prop['cloudguardVersion']]:
license_name = "{}-{}".format(LICENSE, LICENCE_TYPE)
else:
license_name = LICENSE
family = '-'.join(
['check-point', VERSIONS[prop['cloudguardVersion']], license_name])
formatter = common.DefaultFormatter()
gw = {
'type': default.INSTANCE,
'name': vm_name,
'properties': {
'description':
ATTRIBUTES[prop['installationType']]['description'],
'zone':
zone,
'tags': {
'items': tags + [uid],
},
'machineType':
common.MakeLocalComputeLink(context, default.MACHINETYPE),
'canIpForward':
ATTRIBUTES[prop['installationType']]['canIpForward'],
'networkInterfaces':
network_interfaces,
'disks': [{
'autoDelete':
True,
'boot':
True,
'deviceName':
common.AutoName(context.env['name'], default.DISK, 'boot'),
'initializeParams': {
'diskType':
common.MakeLocalComputeLink(context, default.DISKTYPE),
'diskSizeGb':
prop['bootDiskSizeGb'],
'sourceImage':
'projects/%s/global/images/%s' %
(PROJECT, images.IMAGES[family]),
},
'type':
'PERSISTENT',
}],
'metadata': {
'items': [
{
'key': 'startup-script',
'value': formatter.format(startup_script, **prop)
},
]
},
'serviceAccounts': [{
'email':
'default',
'scopes': ['https://www.googleapis.com/auth/monitoring.write'],
}]
}
}
if (prop['externalIP'] != 'None') and ('Manual Configuration' !=
prop['installationType']):
gw['properties']['serviceAccounts'][0]['scopes'].append(
'https://www.googleapis.com/auth/cloudruntimeconfig')
resources.append({
'name': deployment_config,
'type': 'runtimeconfig.v1beta1.config',
'properties': {
'config':
deployment_config,
'description': ('Holds software readiness status '
'for deployment {}').format(deployment),
},
})
resources.append({
'name': set_name_and_truncate(deployment, '-software'),
'type': 'runtimeconfig.v1beta1.waiter',
'metadata': {
'dependsOn': [],
},
'properties': {
'parent': '$(ref.' + deployment_config + '.name)',
'waiter': 'software',
'timeout': '1800s',
'success': {
'cardinality': {
'number': 1,
'path': 'status/success',
},
},
'failure': {
'cardinality': {
'number': 1,
'path': 'status/failure',
},
},
},
})
if 'instanceSSHKey' in prop:
gw['properties']['metadata']['items'].append({
'key':
'instanceSSHKey',
'value':
prop['instanceSSHKey']
})
if prop['generatePassword']:
passwd = password.GeneratePassword(12, False)
gw['properties']['metadata']['items'].append({
'key': 'adminPasswordSourceMetadata',
'value': passwd
})
else:
passwd = ''
resources.append(gw)
netlist = list(networks)
if GATEWAY in tags:
for i in range(len(netlist)):
network = netlist[i]
fw_rule_name_prefix = set_name_and_truncate(
'{}-{}'.format(deployment[:23], network[:18]),
'-allow-all-to-chkp-{}'.format(i + 1))
firewall_rules = create_firewall_rules(prop, network,
fw_rule_name_prefix)
resources.extend(firewall_rules)
elif MANAGEMENT in tags:
for i in range(len(netlist)):
network = netlist[i]
source_ranges = prop['network_tcpSourceRanges']
tcp_enabled = prop['network_enableTcp']
gwNetwork_enabled = prop['network_enableGwNetwork']
gwNetwork_source_range = prop['network_gwNetworkSourceRanges']
if source_ranges and not tcp_enabled:
raise Exception(
'Allowed source IP ranges for TCP traffic are provided '
'but TCP not marked as allowed')
if tcp_enabled and not source_ranges:
raise Exception('Allowed source IP ranges for TCP traffic'
' are required when installing '
'a management server')
if not gwNetwork_enabled and gwNetwork_source_range:
raise Exception('Gateway network source IP are provided but '
'not marked as allowed.')
if gwNetwork_enabled and not gwNetwork_source_range:
raise Exception('Gateway network source IP is required in'
' MGMT deployment.')
ranges_list = source_ranges.split(',')
gw_network_list = gwNetwork_source_range.split(',')
ranges = []
gw_net_ranges = []
for source_range in ranges_list:
ranges.append(source_range.replace(" ", ""))
for gw_net_range in gw_network_list:
gw_net_ranges.append(gw_net_range.replace(" ", ""))
if tcp_enabled:
if gwNetwork_enabled:
resources.append({
'type':
'compute.v1.firewall',
'name':
set_name_and_truncate(
'{}-{}'.format(deployment[:23], network[:18]),
'-gateways-to-management-{}'.format(i + 1)),
'properties': {
'network':
'global/networks/' + network,
'sourceRanges':
list(set(gw_net_ranges + ranges)),
'sourceTags': [GATEWAY],
'targetTags': [uid],
'allowed': [
{
'IPProtocol': 'tcp',
'ports':
['257', '18191', '18210', '18264']
},
],
}
})
resources.append({
'type':
'compute.v1.firewall',
'name':
set_name_and_truncate(
'{}-{}'.format(deployment[:23], network[:18]),
'-allow-gui-clients-{}'.format(i + 1)),
'properties': {
'network':
'global/networks/' + network,
'sourceRanges':
list(set(ranges)),
'targetTags': [uid],
'allowed': [
{
'IPProtocol': 'tcp',
'ports': ['22', '443', '18190', '19009']
},
],
}
})
fw_rule_name_prefix = set_name_and_truncate(
'{}-{}'.format(deployment[:23], network[:18]),
'-allow-all-to-chkp-{}'.format(i + 1))
firewall_rules = create_firewall_rules(prop, network,
fw_rule_name_prefix, True,
uid)
resources.extend(firewall_rules)
outputs += [{
'name': 'deployment',
'value': deployment
}, {
'name': 'project',
'value': context.env['project']
}, {
'name': 'vmName',
'value': vm_name,
}, {
'name': 'vmId',
'value': '$(ref.%s.id)' % vm_name,
}, {
'name': 'vmSelfLink',
'value': '$(ref.%s.selfLink)' % vm_name,
}, {
'name': 'hasMultiExternalIPs',
'value': 0 < len(external_ifs) and external_ifs != [0],
}, {
'name':
'additionalExternalIPs',
'value':
', '.join([('$(ref.{}.networkInterfaces[{}].' +
'accessConfigs[0].natIP)').format(vm_name, ifnum)
for ifnum in external_ifs if ifnum])
}, {
'name': 'vmInternalIP',
'value': '$(ref.%s.networkInterfaces[0].networkIP)' % vm_name,
}, {
'name': 'password',
'value': passwd
}]
return common.MakeResource(resources, outputs)
def generate_config(context):
prop = context.properties
validate_same_region(prop['zoneA'], prop['zoneB'])
prop['deployment'] = context.env['deployment']
prop['project'] = context.env['project']
prop['region'] = common.ZoneToRegion(prop['zoneA'])
prop['templateName'] = TEMPLATE_NAME
prop['templateVersion'] = TEMPLATE_VERSION
prop['allowUploadDownload'] = str(prop['allowUploadDownload']).lower()
prop['hasInternet'] = 'true' # via Google Private Access
prop['installationType'] = 'Cluster'
resources = []
outputs = []
gw_dependencies = []
member_a_nics = []
add_readiness_waiter(prop, resources)
cluster_net_name, cluster_subnet_name = get_or_create_net(
prop, CLUSTER_NET_FIELD, resources, gw_dependencies, True, True)
member_a_nics.append(make_nic(prop, cluster_net_name, cluster_subnet_name))
mgmt_net_name, mgmt_subnet_name = get_or_create_net(
prop, MGMT_NET_FIELD, resources, gw_dependencies, False, True)
member_a_nics.append(make_nic(prop, mgmt_net_name, mgmt_subnet_name))
for ifnum in range(1, prop['numInternalNetworks'] + 1):
int_net_name, int_subnet_name = get_or_create_net(
prop, INTERNAL_NET_FIELD.format(ifnum), resources,
gw_dependencies)
member_a_nics.append(make_nic(prop, int_net_name, int_subnet_name))
member_b_nics = copy.deepcopy(member_a_nics)
create_external_addresses(prop, resources, member_a_nics, member_b_nics)
member_a_name = common.set_name_and_truncate(
prop['deployment'], '-member-a')
member_b_name = common.set_name_and_truncate(
prop['deployment'], '-member-b')
if prop['generatePassword']:
passwd = password.GeneratePassword(12, False)
else:
passwd = ''
member_a = make_gw(context, member_a_name, prop['zoneA'],
member_a_nics, passwd, gw_dependencies)
member_b = make_gw(context, member_b_name, prop['zoneB'],
member_b_nics, passwd, gw_dependencies)
resources += [member_a, member_b]
outputs += [
{
'name': 'deployment',
'value': prop['deployment']
},
{
'name': 'project',
'value': prop['project']
},
{
'name': 'clusterIP',
'value': '$(ref.{}.address)'.format(
prop['primary_cluster_address_name'])
},
{
'name': 'vmAName',
'value': member_a_name,
},
{
'name': 'vmAExternalIP',
'value': '$(ref.{}.address)'.format(prop['member_a_address_name'])
},
{
'name': 'vmASelfLink',
'value': '$(ref.{}.selfLink)'.format(member_a_name),
},
{
'name': 'vmBName',
'value': member_b_name,
},
{
'name': 'vmBExternalIP',
'value': '$(ref.{}.address)'.format(prop['member_b_address_name'])
},
{
'name': 'vmBSelfLink',
'value': '$(ref.{}.selfLink)'.format(member_b_name),
},
{
'name': 'password',
'value': passwd
}
]
return common.MakeResource(resources, outputs)
def validate_same_region(zone_a, zone_b):
if not common.ZoneToRegion(zone_a) == common.ZoneToRegion(zone_b):
raise common.Error('Member A Zone ({}) and Member B Zone ({}) '
'are not in the same region'.format(zone_a, zone_b))
