Merge pull request #3 from chkp-meravbe/mb-aws-tf-add-iam-role-gwlb

merging two branches
CheckPointSW · Sep 26, 2023 · 0744702 · 0744702
2 parents 18e955a + 4620f51
commit 0744702
Show file tree

Hide file tree

Showing 14 changed files with 312 additions and 12 deletions.
diff --git a/terraform/aws/cme-iam-role-gwlb/README.md b/terraform/aws/cme-iam-role-gwlb/README.md
@@ -0,0 +1,100 @@
+# AWS IAM Role for Cloud Management Extension (CME) manages Gateway Load Balancer Auto Scale Group Terraform module
+
+Terraform module which creates an AWS IAM Role for Cloud Management Extension (CME) manages Gateway Load Balancer Auto Scale Group on Security Management Server.
+
+These types of Terraform resources are supported:
+* [AWS IAM role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role)
+* [AWS IAM policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy)
+* [AWS IAM policy attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment)
+
+This type of Terraform data source is supported:
+* [AWS IAM policy document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document)
+
+See the [Creating an AWS IAM Role for Security Management Server](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122074) for additional information
+
+## Configurations
+
+The **main.tf** file includes the following provider configuration block used to configure the credentials for the authentication with AWS, as well as a default region for your resources:
+```
+provider "aws" {
+    region = var.region
+    access_key = var.access_key
+    secret_key = var.secret_key
+}
+```
+The provider credentials can be provided either as static credentials or as [Environment Variables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables).
+- Static credentials can be provided by adding an access_key and secret_key in /terraform/aws/cme-iam-role-gwlb/**terraform.tfvars** file as follows:
+```
+region     = "us-east-1"
+access_key = "my-access-key"
+secret_key = "my-secret-key"
+```
+- In case the Environment Variables are used, perform modifications described below:<br/>
+  a. The next lines in main.tf file, in the provider aws resource, need to be commented:
+  ```
+  provider "aws" {
+  //  region = var.region
+  //  access_key = var.access_key
+  //  secret_key = var.secret_key
+  }
+  ```
+
+## Usage
+- Fill all variables in the /terraform/aws/cme-iam-role-gwlb/**terraform.tfvars** file with proper values (see below for variables descriptions).
+- From a command line initialize the Terraform configuration directory:
+    ```
+    terraform init
+    ```
+- Create an execution plan:
+    ```
+    terraform plan
+    ```
+- Create or modify the deployment:
+    ```
+    terraform apply
+    ```
+
+- Variables are configured in /terraform/aws/cme-iam-role-gwlb/**terraform.tfvars** file as follows:
+
+  ```
+    //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+    permissions = "Create with read permissions"
+    sts_roles = ['arn:aws:iam::111111111111:role/role_name']
+    trusted_account = ""
+  ```
+
+- To tear down your resources:
+    ```
+    terraform destroy
+    ```
+
+
+## Inputs
+| Name            | Description                                                                                                                                                           | Type         | Allowed values                                                                                                                                  | Default                      | Required |
+|-----------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------|----------|
+| permissions     | The IAM role permissions                                                                                                                                              | string       | - Create with assume role permissions (specify an STS role ARN) <br/> - Create with read permissions <br/> - Create with read-write permissions | Create with read permissions | no       |
+| sts_roles       | The IAM role will be able to assume these STS Roles (map of string ARNs)                                                                                              | list(string) | n/a                                                                                                                                             | []                           | no       |
+| trusted_account | A 12 digits number that represents the ID of a trusted account. IAM users in this account will be able assume the IAM role and receive the permissions attached to it | string       | n/a                                                                                                                                             | ""                           | no       |
+
+
+## Outputs
+| Name                 | Description                           |
+|----------------------|---------------------------------------|
+| cme_iam_role_arn     | The created AWS IAM Role arn          |
+| cme_iam_role_name    | The created AWS IAM Role name         |
+| cme_iam_profile_name | The created AWS instance profile name |
+| cme_iam_profile_arn  | The created AWS instance profile arn  |
+
+## Revision History
+In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
+
+| Template Version | Description                                                        |
+|------------------|--------------------------------------------------------------------|
+| 20230926         | CME instance profile for IAM Role                                  |
+
+
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](../../LICENSE) file for details
diff --git a/terraform/aws/cme-iam-role-gwlb/main.tf b/terraform/aws/cme-iam-role-gwlb/main.tf
@@ -0,0 +1,109 @@
+provider "aws" {
+  region = var.region
+  access_key = var.access_key
+  secret_key = var.secret_key
+}
+
+resource "aws_iam_role" "cme_iam_role_gwlb" {
+  assume_role_policy = data.aws_iam_policy_document.cme_role_assume_policy_document.json
+  path = "/"
+}
+
+data "aws_iam_policy_document" "cme_role_assume_policy_document" {
+  version = "2012-10-17"
+  statement {
+    effect = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      type = var.trusted_account == "" ? "Service" : "AWS"
+      identifiers = var.trusted_account == "" ? ["ec2.amazonaws.com"] : [var.trusted_account]
+    }
+  }
+}
+
+locals {
+  provided_sts_roles = length(var.sts_roles) == 0 ? 0 : 1
+  allow_read_permissions = var.permissions == "Create with read-write permissions" || var.permissions == "Create with read permissions" ? 1 : 0
+  allow_write_permissions = var.permissions == "Create with read-write permissions" ? 1 : 0
+}
+
+data "aws_iam_policy_document" "cme_role_sts_policy_doc" {
+  version = "2012-10-17"
+  statement {
+    effect = "Allow"
+    actions = ["sts:AssumeRole"]
+    resources = var.sts_roles
+  }
+}
+resource "aws_iam_policy" "cme_role_sts_policy" {
+  count = local.provided_sts_roles
+  policy = data.aws_iam_policy_document.cme_role_sts_policy_doc.json
+
+}
+resource "aws_iam_role_policy_attachment" "attach_sts_policy" {
+  count = local.provided_sts_roles
+  policy_arn = aws_iam_policy.cme_role_sts_policy[0].arn
+  role = aws_iam_role.cme_iam_role_gwlb.id
+}
+
+data "aws_iam_policy_document" "cme_role_read_policy_doc" {
+  version = "2012-10-17"
+  statement {
+    effect = "Allow"
+    actions = [
+      "autoscaling:DescribeAutoScalingGroups",
+      "ec2:DescribeInstances",
+      "ec2:DescribeNetworkInterfaces",
+      "ec2:DescribeRouteTables",
+      "ec2:DescribeSecurityGroups",
+      "ec2:DescribeSubnets",
+      "ec2:DescribeVpcs",
+      "ec2:DescribeInternetGateways",
+      "ec2:DescribeVpcEndpoints",
+      "ec2:DescribeVpcEndpointServiceConfigurations",
+      "elasticloadbalancing:DescribeLoadBalancers",
+      "elasticloadbalancing:DescribeTags",
+      "elasticloadbalancing:DescribeListeners",
+      "elasticloadbalancing:DescribeTargetGroups",
+      "elasticloadbalancing:DescribeRules",
+      "elasticloadbalancing:DescribeTargetHealth"]
+    resources = ["*"]
+  }
+}
+resource "aws_iam_policy" "cme_role_read_policy" {
+  count = local.allow_read_permissions
+  policy = data.aws_iam_policy_document.cme_role_read_policy_doc.json
+}
+resource "aws_iam_role_policy_attachment" "attach_read_policy" {
+  count = local.allow_read_permissions
+  policy_arn = aws_iam_policy.cme_role_read_policy[0].arn
+  role = aws_iam_role.cme_iam_role_gwlb.id
+}
+
+data "aws_iam_policy_document" "cme_role_write_policy_doc" {
+  version = "2012-10-17"
+  statement {
+    effect = "Allow"
+    actions = [
+      "ec2:CreateRoute",
+      "ec2:ReplaceRoute",
+      "ec2:DeleteRoute",
+      "ec2:CreateRouteTable",
+      "ec2:AssociateRouteTable",
+      "ec2:CreateTags"
+]
+    resources = ["*"]
+  }
+}
+resource "aws_iam_policy" "cme_role_write_policy" {
+  count = local.allow_write_permissions
+  policy = data.aws_iam_policy_document.cme_role_write_policy_doc.json
+}
+resource "aws_iam_role_policy_attachment" "attach_write_policy" {
+  count = local.allow_write_permissions
+  policy_arn = aws_iam_policy.cme_role_write_policy[0].arn
+  role = aws_iam_role.cme_iam_role_gwlb.id
+}
+resource "aws_iam_instance_profile" "iam_instance_profile" {
+  role = aws_iam_role.cme_iam_role_gwlb.id
+}
diff --git a/terraform/aws/cme-iam-role-gwlb/output.tf b/terraform/aws/cme-iam-role-gwlb/output.tf
@@ -0,0 +1,13 @@
+output "cme_iam_role_arn" {
+  value = aws_iam_role.cme_iam_role_gwlb.arn
+}
+output "cme_iam_role_name" {
+  value = aws_iam_role.cme_iam_role_gwlb.name
+}
+output "cme_iam_profile_name" {
+  value = aws_iam_instance_profile.iam_instance_profile.name
+}
+output "cme_iam_profile_arn" {
+  value = aws_iam_instance_profile.iam_instance_profile.arn
+}
+
diff --git a/terraform/aws/cme-iam-role-gwlb/terraform.tfvars b/terraform/aws/cme-iam-role-gwlb/terraform.tfvars
@@ -0,0 +1,5 @@
+//PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
+
+permissions = "Create with read permissions"
+sts_roles = []
+trusted_account = ""
diff --git a/terraform/aws/cme-iam-role-gwlb/variables.tf b/terraform/aws/cme-iam-role-gwlb/variables.tf
@@ -0,0 +1,42 @@
+// Module: IAM role for selected permissions
+
+// --- AWS Provider ---
+variable "region" {
+  type = string
+  description = "AWS region"
+  default = ""
+}
+variable "access_key" {
+  type = string
+  description = "AWS access key"
+  default = ""
+}
+variable "secret_key" {
+  type = string
+  description = "AWS secret key"
+  default = ""
+}
+
+variable "permissions" {
+  type = string
+  description = "The IAM role permissions"
+  default = "Create with read permissions"
+}
+locals {
+  permissions_allowed_values = [
+    "Create with assume role permissions (specify an STS role ARN)",
+    "Create with read permissions",
+    "Create with read-write permissions"]
+  // Will fail if var.permissions is invalid
+  validate_permissions = index(local.permissions_allowed_values, var.permissions)
+}
+variable "sts_roles" {
+  type = list(string)
+  description = "The IAM role will be able to assume these STS Roles (map of string ARNs)"
+  default = []
+}
+variable "trusted_account" {
+  type = string
+  description = "A 12 digits number that represents the ID of a trusted account. IAM users in this account will be able assume the IAM role and receive the permissions attached to it"
+  default = ""
+}
diff --git a/terraform/aws/cme-iam-role-gwlb/versions.tf b/terraform/aws/cme-iam-role-gwlb/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 0.14.3"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 3.24.1"
+    }
+  }
+}
diff --git a/terraform/aws/cme-iam-role/README.md b/terraform/aws/cme-iam-role/README.md
@@ -60,7 +60,7 @@ secret_key = "my-secret-key"
     //PLEASE refer to README.md for accepted values FOR THE VARIABLES BELOW
 
     permissions = "Create with read permissions"
-    sts_roles = []
+    sts_roles = ['arn:aws:iam::111111111111:role/role_name']
     trusted_account = ""
   ```
 
@@ -83,16 +83,16 @@ secret_key = "my-secret-key"
 |----------------------|---------------------------------------|
 | cme_iam_role_arn     | The created AWS IAM Role arn          |
 | cme_iam_role_name    | The created AWS IAM Role name         |
-| cme_iam_profile_arn  | The created AWS instance profile arn  |
 | cme_iam_profile_name | The created AWS instance profile name |
+| cme_iam_profile_arn  | The created AWS instance profile arn  |
 
 ## Revision History
 In order to check the template version, please refer to [sk116585](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116585)
 
 | Template Version | Description                                                        |
 |------------------|--------------------------------------------------------------------|
 | 20210309         | First release of Check Point CME IAM Role Terraform module for AWS |
-| 20230529         | Added CME instance profile for IAM Role                            |
+| 20230529         | CME instance profile for IAM Role                                  | 
 
 
 

diff --git a/terraform/aws/cme-iam-role/output.tf b/terraform/aws/cme-iam-role/output.tf
@@ -4,9 +4,9 @@ output "cme_iam_role_arn" {
 output "cme_iam_role_name" {
   value = aws_iam_role.cme_iam_role.name
 }
-output "cme_iam_profile_arn" {
-  value = aws_iam_instance_profile.iam_instance_profile.arn
-}
 output "cme_iam_profile_name" {
   value = aws_iam_instance_profile.iam_instance_profile.name
+}
+output "cme_iam_profile_arn" {
+  value = aws_iam_instance_profile.iam_instance_profile.arn
 }
diff --git a/terraform/aws/gwlb/README.md b/terraform/aws/gwlb/README.md
@@ -16,7 +16,7 @@ See the [Check Point CloudGuard Gateway Load Balancer on AWS](https://sc1.checkp
 This solution uses the following modules:
 - /terraform/aws/autoscale-gwlb
 - /terraform/aws/management
-- /terraform/aws/cme-iam-role
+- /terraform/aws/cme-iam-role-gwlb
 - /terraform/aws/modules/amis
 ## Configurations
 

diff --git a/terraform/aws/gwlb/main.tf b/terraform/aws/gwlb/main.tf
@@ -90,4 +90,5 @@ module "management" {
   gateway_management = var.gateway_management
   management_bootstrap_script = "echo -e '\nStarting Bootstrap script\n'; cv_json_path='/etc/cloud-version.json'\n cv_json_path_tmp='/etc/cloud-version-tmp.json'\n if test -f \"$cv_json_path\"; then cat \"$cv_json_path\" | jq '.template_name = \"'\"management_gwlb\"'\"' > \"$cv_json_path_tmp\"; mv \"$cv_json_path_tmp\" \"$cv_json_path\"; fi; autoprov_cfg -f init AWS -mn ${var.management_server} -tn ${var.configuration_template} -cn gwlb-controller -po ${var.gateways_policy} -otp ${var.gateway_SICKey} -r ${data.aws_region.current.name} -ver ${split("-", var.gateway_version)[0]} -iam; echo -e '\nFinished Bootstrap script\n'"
   volume_type = var.volume_type
+  is_gwlb_iam = true
 }
diff --git a/terraform/aws/management/locals.tf b/terraform/aws/management/locals.tf
@@ -10,6 +10,11 @@ locals {
 
   use_role = var.iam_permissions == "None (configure later)" ? 0 : 1
   create_iam_role = var.iam_permissions == "Create with assume role permissions (specify an STS role ARN)" || var.iam_permissions == "Create with read permissions" || var.iam_permissions == "Create with read-write permissions"
+  pre_role = (local.use_role == 1 && local.create_iam_role == false) ? 1 : 0
+  new_instance_profile = (local.create_iam_role == true && local.use_role == 1) ? 1 : 0
+
+  new_instance_profile_general = local.new_instance_profile == 1 && var.is_gwlb_iam == false ? 1 : 0
+  new_instance_profile_gwlb = local.new_instance_profile == 1 && var.is_gwlb_iam ? 1 : 0
 
   admin_shell_allowed_values = [
     "/etc/cli.sh",

diff --git a/terraform/aws/management/main.tf b/terraform/aws/management/main.tf
@@ -113,9 +113,9 @@ resource "aws_eip" "eip" {
 }
 
 resource "aws_iam_instance_profile" "management_instance_profile" {
-  count = local.use_role
+  count = local.pre_role
   path = "/"
-  role = local.create_iam_role ? join("", module.cme_iam_role.*.cme_iam_role_name) : var.predefined_role
+  role = var.predefined_role
 }
 
 resource "aws_instance" "management-instance" {
@@ -145,7 +145,8 @@ resource "aws_instance" "management-instance" {
   }
   instance_type = var.management_instance_type
   key_name = var.key_name
-  iam_instance_profile = local.use_role == 1 ? aws_iam_instance_profile.management_instance_profile[0].id : ""
+
+  iam_instance_profile = local.use_role == 1 ? (local.pre_role == 1 ? aws_iam_instance_profile.management_instance_profile[0].id : join("", (var.is_gwlb_iam == true ? module.cme_iam_role_gwlb.*.cme_iam_profile_name : module.cme_iam_role.*.cme_iam_profile_name))): ""
 
   disable_api_termination = var.disable_instance_termination
 
@@ -176,7 +177,18 @@ module "cme_iam_role" {
   providers = {
     aws = aws
   }
-  count = local.create_iam_role ? 1 : 0
+  count = local.new_instance_profile_general
+
+  sts_roles = var.sts_roles
+  permissions = var.iam_permissions
+}
+
+module "cme_iam_role_gwlb" {
+  source = "../cme-iam-role-gwlb"
+  providers = {
+    aws = aws
+  }
+  count = local.new_instance_profile_gwlb
 
   sts_roles = var.sts_roles
   permissions = var.iam_permissions