CheckPointSW / terraform-provider-checkpoint

Terraform provider for Check Point
https://www.terraform.io/docs/providers/checkpoint/
Mozilla Public License 2.0
28 stars 40 forks source link

Terraform leaves session open and can't query for created resources #72

Closed Draxter closed 3 years ago

Draxter commented 3 years ago

Software Versions:

Terraform v1.0.2 Checkpoint Provider: 1.4.0 Checkpoint Manager: R80.40 API: v1.6

Issue Description:

My aim is to create a network resource in Checkpoint using Terraform as follows:

resource "checkpoint_management_network" "example3" {
  name = "aaa_terraform_network"
  subnet4 = "10.0.253.0"
  mask_length4 = 24
}

Terraform runs fine, plans and applies the change:

checkpoint_management_network.example3: Creating...
checkpoint_management_network.example3: Creation complete after 1s [id=ba2a7eb5-f24a-4db4-b5da-9e94c4574df7]

Upon inspection in Checkpoint SmartConsole, the network does not show up. When terraform is re-ran, it thinks that the resource changed outside of Terraform and tries to recreate it. I run the following command to try to see if the network can be retrieved, which it can't, this appears to be the reason why Terraform tries to recreate the network on subsequent runs:

[Expert@CPFWMGMTHS01:0]# mgmt_cli -r true show-network uid ba2a7eb5-f24a-4db4-b5da-9e94c4574df7
code: "generic_err_object_not_found"
message: "Requested object [ba2a7eb5-f24a-4db4-b5da-9e94c4574df7] not found"

Upon further inspection in Management CLI the network exists:

cpm=# select name,objclass from dleobjectderef_data where objid ='ba2a7eb5-f24a-4db4-b5da-9e94c4574df7';
         name          |                     objclass
-----------------------+--------------------------------------------------
 aaa_terraform_network | com.checkpoint.objects.classes.dummy.CpmiNetwork
(1 row)
cpm=# select * from search_columns('ba2a7eb5-f24a-4db4-b5da-9e94c4574df7');
 schemaname |               tablename               |   columnname    |  rowctid
------------+---------------------------------------+-----------------+-----------
 public     | abstractauditlogbase                  | displayedobjid  | (15489,1)
 public     | abstractauditlogbase                  | targetobjid     | (15489,1)
 public     | public2privatesyncsvc$sessionsyncinfo | validatedobject | (899,39)
 public     | dbindexnetworkobject_data             | objid           | (27,48)
 public     | locknonos                             | lockedobjid     | (2,5)
 public     | link_data                             | sourceobjectid  | (5883,23)
 public     | dleobjectderef_data                   | objid           | (21816,7)
 public     | ip_range_internal_search_data         | owner_id        | (11,24)
(8 rows)

However, the session that Terraform creates is not closed. Which I believe is the root cause. (Normally when creating a network using CLI/UI it only becomes visible after the session has been closed). Here's more debug info which shows the Terraform's session still being open:

cpm=# select * from locknonos where lockedobjid='ba2a7eb5-f24a-4db4-b5da-9e94c4574df7';
-[ RECORD 1 ]-------+------------------------------------------
objid               | e55a4af8-d2c5-4228-b683-66dcf89aa7bf
domainid            | 41e821a0-3720-11e3-aa6e-0800200c9fde
domainworksessionid | 5488f023-4cae-4b03-9d92-bba24cda3be5
lockingsessionid    | cedb26f0-e6bb-42cf-8142-b00eb1359700
lockingtime         | 1626166457142
lockedobjid         | ba2a7eb5-f24a-4db4-b5da-9e94c4574df7
operation           | CP_LOCK_OPERATION_CREATE
cpm=# select * from domainworksession where objid='5488f023-4cae-4b03-9d92-bba24cda3be5';
-[ RECORD 1 ]---------------+-------------------------------------
objid                       | 5488f023-4cae-4b03-9d92-bba24cda3be5
alignedtopublishnumber      | 1513
checkpointobjid             |
dledomainid                 | 41e821a0-3720-11e3-aa6e-0800200c9fde
dlesession                  | 0
domainid                    | 41e821a0-3720-11e3-aa6e-0800200c9fde
folder                      | 2a75887c-e374-45bf-81ba-cf8168518ff1
inwork                      | f
lastlogintime               | 2021-07-13 09:54:16.676
lastlogouttime              | 2021-07-13 11:32:25.758
numberoflocks               | 1
numberofoperations          | 1
objectstoresessionid        | 086bb093-bd69-417d-a709-c38ebb1820e2
permissionprimitivepresetid | 9f251382-3ecc-3945-a568-f5cb417ab65f
publishnumber               | -1
publishtime                 |
readprimitiveid             | 32565dd2-1954-42e6-99c2-e42fae141000
sessionversion              | -1
state                       | OPEN
worksessionid               | cedb26f0-e6bb-42cf-8142-b00eb1359700
cpm=# select * from objectstoresessionentity where rowid='086bb093-bd69-417d-a709-c38ebb1820e2';
-[ RECORD 1 ]+---------------------------------------------------------------
rowid        | 086bb093-bd69-417d-a709-c38ebb1820e2
creationtime | 2021-07-13 09:54:16.768
description  | App name: WEB_API Admin name:net-terraform Session ModeREGULAR
domainid     | 41e821a0-3720-11e3-aa6e-0800200c9fde
id           | 39
open         | t
version      | -1
cpm=# select dlesession,name,deleted from dleobjectderef_data where objid='ba2a7eb5-f24a-4db4-b5da-9e94c4574df7';
 dlesession |         name          | deleted
------------+-----------------------+---------
         39 | aaa_terraform_network | f
(1 row)

Am I right in thinking that Terraform cannot retrieve the resource because the session does not close?

chkp-royl commented 3 years ago

Hi @Draxter ,

In order to see the changes done in Terraform in Smart Console you need to publish current session. Please read post apply actions from Check Point provider docs.: https://registry.terraform.io/providers/CheckPointSW/checkpoint/latest/docs#post-applydestroy-commands If you wish to logout from current session you should use logout resource: https://registry.terraform.io/providers/CheckPointSW/checkpoint/latest/docs/resources/checkpoint_management_logout

Regards, Roy

Draxter commented 3 years ago

Thanks @chkp-royl I missed that somehow, I can also see that publishing the session can also be accomplished using the checkpoint_management_publish resource. Would you recommend this method?

chkp-royl commented 3 years ago

Hi @Draxter ,

You can use publish resource but you need to make sure it run last after all changes is done (terraform works in parallel). Post apply commands allows you to do it more easily but it's up to you.

Regards, Roy