search

CheckPointSW / terraform-provider-checkpoint

Terraform provider for Check Point
https://www.terraform.io/docs/providers/checkpoint/
Mozilla Public License 2.0
28 stars 40 forks source link

data "checkpoint_management_show_updatable_objects_repository_content" issue #153

Closed bmyers-dev closed 1 year ago

bmyers-dev commented 1 year ago

When using the data object for "checkpoint_management_show_updatable_objects_repository_content" it returns an accurate state as long as you haven't already defined it as a resource: resource "checkpoint_management_add_updatable_object"

Example: Before adding it in the local repository: (notice updatable object is empty, meaning its not added)

{
      "module": "module.global",
      "mode": "data",
      "type": "checkpoint_management_show_updatable_objects_repository_content",
      "name": "updateable_objects_amazon_us_east_1_services",
      "provider": "provider[\"registry.terraform.io/checkpointsw/checkpoint\"].main",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "filter": {
              "text": "Amazon US East 1 Services"
            },
            "from": 1,
            "id": "show-updatable-objects-repository-content-4muvr3p772",
            "limit": null,
            "objects": [
              {
                "additional_properties": {
                  "description": "This is an Amazon object, derived from a link listed below, and all its content is subject to Amazon IPs. Amazon Web Services (abbreviated AWS) is a collection of remote computing services (also called web services) that together make up a cloud computing platform, offered over the Internet by Amazon.com.",
                  "info_text": "Amazon Web Services IP address ranges info page",
                  "info_url": "http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html",
                  "uri": "/Updatable Objects/Amazon Web Services/Amazon Services"
                },
                "name_in_updatable_objects_repository": "Amazon US East 1 Services",
                "uid_in_updatable_objects_repository": "aee83a51-72c8-11e7-9ce2-54a52c295409",
                "updatable_object": {}
              }
            ],
            "offset": null,
            "order": null,
            "to": 1,
            "total": 1,
            "uid_in_updatable_objects_repository": null
          },
          "sensitive_attributes": []
        }
      ]
    },

After adding the object via the "checkpoint_management_add_updatable_object":

{
      "module": "module.global",
      "mode": "data",
      "type": "checkpoint_management_show_updatable_objects_repository_content",
      "name": "updateable_objects_amazon_us_east_1_services",
      "provider": "provider[\"registry.terraform.io/checkpointsw/checkpoint\"].main",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "filter": {
              "text": "Amazon US East 1 Services"
            },
            "from": 1,
            "id": "show-updatable-objects-repository-content-hanwe72nl1",
            "limit": null,
            "objects": null,
            "offset": null,
            "order": null,
            "to": 1,
            "total": 1,
            "uid_in_updatable_objects_repository": null
          },
          "sensitive_attributes": []
        }
      ]
    },

I believe this might be because the schema for the "updatable object {}" object is inaccurate.

In case anyone is here looking for a work around, I was able to do it this way:

Step 1 - Always update the Remote Repository

resource "random_id" "rng" {
  keepers = {
    first = "${timestamp()}"
  }
  byte_length = 8
}

resource "checkpoint_management_update_updatable_objects_repository_content" "updatable_objects_update" {
  lifecycle {
    create_before_destroy = true
    replace_triggered_by  = [random_id.rng.id]
  }
}

Step 2 - Pull the updatable object you want using the text filter: (this will work as long as you haven't already added it to your management repository)

# Terraform provider bug - data source doesn't return objects after you use "checkpoint_management_add_updatable_object" resource
data "checkpoint_management_show_updatable_objects_repository_content" "search_updatable_objects_amazon_us_east_1_services" {
  depends_on = [checkpoint_management_update_updatable_objects_repository_content.updatable_objects_update]
  filter = {
    text = "Amazon US East 1 Services"
  }
}

Step 3 - Use the remote repository uid you found in step 2 to add it to your management for use Note: We have to "ignore" any changes to the uid, because on subsequent terraform runs, when Step 2 runs it will return an emtpy object without a UID.

# Terraform provider bug - data source doesn't return objects after you use "checkpoint_management_add_updatable_object" resource
resource "checkpoint_management_add_updatable_object" "uo_aws_us_east_1_services" {
  depends_on                          = [data.checkpoint_management_show_updatable_objects_repository_content.search_updatable_objects_amazon_us_east_1_services]
  uid_in_updatable_objects_repository = data.checkpoint_management_show_updatable_objects_repository_content.search_updatable_objects_amazon_us_east_1_services.objects[0].uid_in_updatable_objects_repository
  lifecycle {
    ignore_changes = [uid_in_updatable_objects_repository]
  }
}

Step 4 - Create a manual dependency on the object being added so you can use it in a rule:

resource "checkpoint_management_access_rule" "allow_test" {
  depends_on = [
    checkpoint_management_add_updatable_object.uo_aws_us_east_1_services,
    checkpoint_management_add_updatable_object.uo_aws_us_east_2_services,
  ]

  name     = "Test"
  layer    = checkpoint_management_access_layer.test.name
  position = { below = checkpoint_management_access_rule.testname }
  source   = ["Any"]
  destination = [
    "Amazon US East 1 Services",
    "Amazon US East 2 Services",
  ]
  service         = [data.checkpoint_management_data_service_tcp.s_tcp_443_https.name]
  action          = "Accept"
  action_settings = { enable_identity_captive_portal = "false" }
  custom_fields   = { field_1 = "test", field_2 = "", field_3 = "" }
  track           = { type = "Detailed Log", per_session = true, per_connection = true, accounting = true }
}
chkp-adambar commented 1 year ago

thanks. we are looking at the issue

chkp-adambar commented 1 year ago

issue is resolved in v2.6.0. please update your version. thanks