CheckPointSW / terraform-provider-checkpoint

Terraform provider for Check Point
https://www.terraform.io/docs/providers/checkpoint/
Mozilla Public License 2.0
28 stars 40 forks source link

terraform plan takes ~15 mins for 1800 networks objects #67

Closed Sreerag74031 closed 3 years ago

Sreerag74031 commented 3 years ago

We imported 1800 existing network objects into terraform state from our checkpoint management server, also added 1800 network configurations to our terraform configurations. When we attempted terraform plan it took ~15 minutes to come back with result 'No changes. Infrastructure is up-to-date.' we did this with refresh false and parallelism 30

terraform plan -refresh=false -parallelism=30

We dont have time for default plan as terminal crashed after many minutes of execution.

We use for_each in our config, here is our terraform config:

resource "checkpoint_management_network" "networks" {
  for_each     = { for el in var.networks : el.name => el }
  name         = each.key
  subnet4      = each.value.subnet4
  mask_length4 = each.value.mask_length4
  subnet6      = each.value.subnet6
  mask_length6 = each.value.mask_length6
  broadcast    = each.value.broadcast
  nat_settings = {
    auto_rule    = each.value.nat_settings.auto_rule
    ipv4_address = each.value.nat_settings.ipv4_address
    ipv6_address = each.value.nat_settings.ipv6_address
    hide_behind  = each.value.nat_settings.hide_behind
    install_on   = each.value.nat_settings.install_on
    method       = each.value.nat_settings.method
  }
  ignore_warnings = each.value.ignore_warnings
  ignore_errors   = each.value.ignore_errors
  color           = each.value.color
  comments        = each.value.comments
  tags            = each.value.tags
}

Interestingly we did similar import and plan for 1200 address range objects and the plan only took 2 minutes For 800 udp service objects plan took 1 minute We combined address range and udp objects into one terraform and plan for 2000 total objects (1200 address range anf 800 udp) took 3.5 minutes

Where as the network with 1800 objects is taking ~15 minutes

we combined all 3 object types and tested plan , it took 19 minutes , we assume 15 inutes of this is the network object. So it looks like network object terraform planning is taking significantly more time

chkp-royl commented 3 years ago

Hi @Sreerag74031 ,

This issue is not relate to Check Point provider but to 'show-network' API command that is executed per network resource. The 'terraform plan' command execute refresh to every resource in your configuration and for network objects it might take longer than other resources. Try to look if you can make it run faster from terraform side.

Regards, Roy