search

CheckPointSW / terraform-provider-checkpoint

Terraform provider for Check Point
https://www.terraform.io/docs/providers/checkpoint/
Mozilla Public License 2.0
27 stars 38 forks source link

Terraform apply has no effect #18

Closed kaushikmaji closed 4 years ago

kaushikmaji commented 4 years ago

We are try to start using Terraform for checkpoint related daily tasks e.g. port openings. We have followed below steps:

  1. Create a PoC gateway and management server in Azure and connected management server with gateway.
  2. Created main.tf file. Pasted at the end of this message.
  3. Build publish.go and install_policy.go and kept the exes at same location as main.tf
  4. Set environment variables as informed in link https://www.terraform.io/docs/providers/checkpoint/index.html
  5. Then executed below commands:

terraform init

terraform plan

terraform apply && ./publish.exe &&

./install_policy.exe -policy-package "Standard" -target "gatewayfw"

Final out put shows "Apply complete! Resources: 11 added, 0 changed, 0 destroyed."

But when we go into the smart console of Management Server, no network objects/service or rules were created as defined in Terraform main.tf file.

Please assist!!

main.tf >>>>>>>

# Configure the Check Point Provider
provider "checkpoint" {}

# Create a Network Object
resource "checkpoint_management_network" "DMZNet" {
    name = "network1"
    subnet4 = "10.0.2.0"
    mask_length4 = 24
}
resource "checkpoint_management_network" "DMZZone" {
    name = "network2"
    subnet4 = "10.0.3.0"
    mask_length4 = 24
}
resource "checkpoint_management_network" "InternalNet" {
    name = "network3"
    subnet4 = "10.0.4.0"
    mask_length4 = 24
}
resource "checkpoint_management_network" "CPDShield" {
    name = "network4"
    subnet4 = "10.0.5.0"
    mask_length4 = 24
}

# Create custom Network Service
resource "checkpoint_management_service_tcp" "example" {
  name = "New_TCP_Service_11"
  port = 5669
  keep_connections_open_after_policy_installation = false
  session_timeout = 0
  match_for_any = true
  sync_connections_on_cluster = true
  aggressive_aging = {
    enable = true
    timeout = 360
    use_default_timeout = false
  } 
}

# Create Network Rules
resource "checkpoint_management_access_rule" "rule1" {
  layer = "Network"
  position = {top = "top"}
  name = "rule1"
}

resource "checkpoint_management_access_rule" "rule2" {
  layer = "Network"
  position = {below = checkpoint_management_access_rule.rule1.name}
  name = "rule2"
  enabled = true
}

resource "checkpoint_management_access_rule" "rule3" {
  layer = "Network"
  position = {below = checkpoint_management_access_rule.rule2.name}
  name = "rule3"
  action = "Accept"
  action_settings = {
    enable_identity_captive_portal = true
  }
  source = ["DMZNet", "DMZZone"]
  enabled = true
  destination = ["InternalNet", "CPDShield"]
  destination_negate = true
}

resource "checkpoint_management_access_rule" "rule4" {
  layer = "Network"
  position = {below = checkpoint_management_access_rule.rule3.name}
  name = "rule4"
  track = {
    type = "Log"
  }
  enabled = false
}

resource "checkpoint_management_access_rule" "rule5" {
  layer = "Network"
  position = {below = checkpoint_management_access_rule.rule4.name}
  name = "rule5"
  action = "Accept"
}

resource "checkpoint_management_access_rule" "rule6" {
  layer = "Network"
  position = {below = checkpoint_management_access_rule.rule5.name}
  name = "rule6"
}
chkp-royl commented 4 years ago

Hi kaushikmaji, It seems like publish script failed to run and your changes didn't publish. On success, it prints "published successfully". API server is using configured port or the default API port (e.g 443)?

kaushikmaji commented 4 years ago

Hello, we first perform publish and then perform install_policy. In both cases it says "Apply Completed". Surprising thing is that when we go to smartconsole->open user sessions, it shows around 11 changes to be published. Then upon right click on that session, if we select "publish and discard" option, all objects we tried to push using terraform get published as per requirement. So we are not able to understand what is missing.

API server is running on default port 443. We are just doing PoC, so we have created new PAYG gateway and management servers direct from the marketplace in Azure.

chkp-royl commented 4 years ago

Hi kaushikmaji, I think something went wrong during publish script that fail and the session with all terraform changes is not published. Authentication method in both publish and install policy scripts must be via environment variables: CHECKPOINT_SERVER, CHECKPOINT_USERNAME, CHECKPOINT_PASSWORD. Please make sure you set them correctly. If this issue still happen to you please let me know.

Thanks, Roy

kaushikmaji commented 4 years ago

Hello Roy, thanks for your response. Yes, we are using environment variables only, as per documentation. So, as I said, using those environment variables, Terraform plan & Terraform apply with publish and install_policy are all seemingly working fine and giving no errors on my PC. When we check the user session in Smart Console's open user sessions, it shows that changes have gone through upto the session (count under changes column in a user session), but somehow they are not being published into the firewall.

I am using Windows 10 as my PC and thus I am building the publish.go and install_policy.go on my windows machine, before using the compiled executable in Terraform commands. Does that make any difference? Should I use some additional steps? If that does not clarify my position, may be I could upload a short video here of what we are doing and the challenge.

chkp-royl commented 4 years ago

Hi kaushikmaji, The script publish.go is responsible to publish the changes done in terraform into the management server. In your case, changes are not being published at all, so I assume publish.go script fails during his run and your changes keep on the private session as you describe. Please make sure you build the publish.go script as mentioned in the documentation: https://www.terraform.io/docs/providers/checkpoint/index.html#publish Moreover, you can try to run script without terraform apply. This will publish your last session as long as it still "alive".

kaushikmaji commented 4 years ago

It Worked !!

When I ran publish and install_policy separately i.e. without terraform apply. Its really good. Thanks for your assistance. But this also means that the documentation https://www.terraform.io/docs/providers/checkpoint/index.html#publish which has && operator to chain the terraform apply with publish and install_policy was not working on Windows? So it should be replaced with pipe ( | ) etc?

Thanks again for your input. I would appreciate if the thread is kept open for 1-2 days as we would perform some more testing and in case of any related issue, we will report here.

kaushikmaji commented 4 years ago

Thanks for your assistance with this case.