search

CheckPointSW / terraform-provider-checkpoint

Terraform provider for Check Point
https://www.terraform.io/docs/providers/checkpoint/
Mozilla Public License 2.0
27 stars 38 forks source link

checkpoint_management_service_tcp - cannot delete object if part of a group #152

Open pr0c4 opened 1 year ago

pr0c4 commented 1 year ago

Hello,

Seems ignore_warnings = true does not work for the resource checkpoint_management_service_tcp because I can't delete the object if part of the group, similar as issue 135 i believe.


resource "checkpoint_management_service_tcp" "tcp_service" {
  for_each                    = var.clients
  name                        = "tcp_${each.key}"
  port                        = "${each.value.remote_port}"
  session_timeout             = 3600
  match_for_any               = true
  sync_connections_on_cluster = true
  ignore_warnings             = true
  aggressive_aging = {
    enable = true
    timeout = 360
    use_default_timeout = false
  }
  keep_connections_open_after_policy_installation = true
    tags                                          = []  
  lifecycle {
    precondition {
      condition = (
      each.value["remote_port"] >= 1000 &&
      each.value["remote_port"] <= 65000
      )
    error_message = "Port number must be between 1000 and 65000"
    }
  } 
}

resource "checkpoint_management_service_group" "smpp_services" {
  name            = "smpp_services"
  ignore_warnings = true  
  members         = values(checkpoint_management_service_tcp.tcp_service)[*].name
  depends_on      = [ checkpoint_management_service_tcp.tcp_service ]
  lifecycle {
        replace_triggered_by = [ checkpoint_management_service_tcp.tcp_service ]
  }    
}

At apply the delete of the tcp_service instance happens before the update-in-place of smpp_services so the API gives this error: │ Error: failed to execute API call │ Status: 409 Conflict │ Code: generic_err_object_deletion │ Message: Object tcp_client_3 could not be deleted because it is referenced by other objects, run where-used command for details │

chkp-adambar commented 1 year ago

HI @pr0c4 this the current behavior of a tcp_service. if we have a service that is part of a group it cannot be deleted even if where to choose ignore-warnings. thanks

pr0c4 commented 1 year ago

ok, then is it possible to have the provide do the update-in-place of the group before doing the delete of the host ?

chkp-adambar commented 1 year ago

Hi at the moment it is not supported by the API and so not supported on the provider that reflects the API. you can open an RFE for Check-Point to include that capability in the API itself. thanks

pr0c4 commented 1 year ago

Thanks, will contact my checkpoint support for the RFE.