This repository provides a structured set of Terraform modules for deploying Check Point CloudGuard Network Security in GCP. These modules automate the creation of Virtual Networks, Security Gateways, High-Availability architectures, and more, enabling secure and scalable cloud deployments.
- Create a project in the Google Cloud Console and set up billing on that project.
- Install Terraform and read the Terraform getting started guide that follows. This guide will assume basic proficiency with Terraform - it is an introduction to the Google provider.
- Create a Service Account (or use the existing one). Next, download the JSON key file. Name it something you can remember and store it somewhere secure on your machine.
- Select "Editor" Role or verify you have the following permissions:
compute.autoscalers.create compute.autoscalers.delete compute.autoscalers.get compute.autoscalers.update compute.disks.create compute.firewalls.create compute.firewalls.delete compute.firewalls.get compute.firewalls.update compute.instanceGroupManagers.create compute.instanceGroupManagers.delete compute.instanceGroupManagers.get compute.instanceGroupManagers.use compute.instanceGroups.delete compute.instanceTemplates.create compute.instanceTemplates.delete compute.instanceTemplates.get compute.instanceTemplates.useReadOnly compute.instances.create compute.instances.setMetadata compute.instances.setTags compute.networks.get compute.networks.updatePolicy compute.regions.list compute.subnetworks.get compute.subnetworks.use compute.subnetworks.useExternalIp iam.serviceAccounts.actAs - Configure the provider in your
main.tffile. Your service account key file is used to complete a two-legged OAuth 2.0 flow to obtain access tokens to authenticate with the GCP API as needed; Terraform will use it to reauthenticate automatically when tokens expire.
The provider credentials can be provided either as static credentials or as Environment Variables.-
Static credentials: Specify the path to your service account key file in your
main.tf:provider "google" { credentials = "path/to/service-account-key.json" project = "your-project-id" region = "your-region" }
-
Environment Variables: If you prefer to use environment variables (e.g.,
GOOGLE_APPLICATION_CREDENTIALS,GOOGLE_PROJECT), you can omit credentials and project from the provider block:provider "google" { region = "your-region" }
-
Submodules: Contains modular, reusable, production-grade Terraform components, each with its own documentation.
Examples: Demonstrates how to use the modules.
Submodules:
single- Deploys a single Check Point Security Gateway or Management Server.cluster- Deploys a Check Point Security Gateway cluster (high availability).autoscale- Deploys Check Point Security Gateways with auto-scaling capabilities.network-security-integration- Deploys GCP Network Security Integration.
Internal Submodules -
firewall-rule- Deploys firewall rules on GCP VPCs.internal-load-balancer- Deploys internal load balanncer.network-and-subnet- Deploys VPC and subnetwork in the VPC.network-security-integration-common- Deploys Network Security Integration.compute-image- Deploy using last image to OS version.
Add the required module in your Terraform configuration file (main.tf) to deploy resources. For example:
provider "google" {
credentials = "path/to/service-account-key.json"
project = "your-project-id"
region = "your-region"
}
module "example_module" {
source = "CheckPointSW/cloudguard-network-security/gcp//modules/{module_name}"
version = "{chosen_version}"
// Add the required inputs
}Use Terraform commands to deploy resources securely.
Prepare the working directory and download required provider plugins:
terraform initPreview the changes Terraform will make:
terraform planApply the planned changes and deploy the resources:
terraform apply