CheckPointSW / terraform-provider-checkpoint

Terraform provider for Check Point
https://www.terraform.io/docs/providers/checkpoint/
Mozilla Public License 2.0
28 stars 40 forks source link

checkpoint_management_access_role Timeout Issue #68

Closed deutmeyerbrianpfg closed 3 years ago

deutmeyerbrianpfg commented 3 years ago

When creating a new checkpoint_management_access_role, the majority of AD groups being added to an AR will cause errors.

Input:

resource "checkpoint_management_access_role" "this" {
  name = "access_role_my_group_name"
  users {
    source     = "my.domain.com__AD"
    selection = ["My Group Name"]
  }
  comments = "My Group Name"
  tags     = ["terraform"]
}

Expected output is a successful creation.

However, timeout errors occur depending on what is supplied. If base_dn is not supplied, we see:

checkpoint_management_access_role.this: Creating...
checkpoint_management_access_role.this: Still creating... [10s elapsed]
╷
│ Error: Post "https://1.2.3.4:443/web_api/add-access-role": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
│ 
│   with checkpoint_management_access_role.this,
│   on access-role.tf line 11, in resource "checkpoint_management_access_role" "this":
│   11: resource "checkpoint_management_access_role" "this" {
│ 
╵
Error: Terraform exited with code 1.
Error: Process completed with exit code 1.

If we supply base_dn = "OU=Groups,DC=my,DC=domain,DC=com" in the user dict, we see:

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # checkpoint_management_access_role.this will be created
  + resource "checkpoint_management_access_role" "this" {
      + color           = "black"
      + comments        = "My Group Name"
      + id              = (known after apply)
      + ignore_errors   = false
      + ignore_warnings = false
      + name            = "access_role_my_group_name"
      + tags            = [
          + "terraform",
        ]

      + users {
          + base_dn   = "DC=my,DC=domain,DC=com"
          + selection = [
              + "My Group Name",
            ]
          + source    = "my.domain.com__AD"
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.
checkpoint_management_access_role.this: Creating...
╷
│ Error: failed to execute API call
│ Status: 400 Bad Request
│ Code: generic_server_error
│ Message: Mandatory query parameter 'Directory ID' was not supplied.
│ 
│   with checkpoint_management_access_role.this,
│   on access-role.tf line 1, in resource "checkpoint_management_access_role" "this":
│    1: resource "checkpoint_management_access_role" "this" {
│ 
╵
Error: Terraform exited with code 1.
Error: Process completed with exit code 1. 
deutmeyerbrianpfg commented 3 years ago

Setting export CHECKPOINT_TIMEOUT=30 solved this. It would be nice to see the timeout on the resource increased so the global timeout doens't have to be changed. https://www.terraform.io/docs/extend/resources/retries-and-customizable-timeouts.html

chkp-royl commented 3 years ago

Hi @deutmeyerbrianpfg ,

Good to hear you used solved this issue. Environment variable CHECKPOINT_TIMEOUT used for the GO SDK to complete a transaction.

Regards, Roy