Closed harhan closed 2 years ago
We solved this with github actions and discard on failure
https://sc1.checkpoint.com/documents/R80/APIs/#web/discard%20
url = f"https://{cp_mgmt}/web_api/discard" payload = {} headers = { "Content-Type": "application/json", "Cache-Control": "no-cache", "X-chkp-sid": sid, }
To add to @LockeColtenPFG's comments. You need the terraform apply step to continue on error, then the next step check for said error and if true, run the discard script and log out. Assuming you are using a script for publishing, it would be very similar.
The customer uses Terraform Cloud/Enterprise an is limited in what is possible to do outside the provider. I'm not sure if this is logic that can be part of the provider, though should at least be able to send a discard call on its own? I use a checkpoint_apply resource and taint it before every plan that contains changes in the Check Point related configuration.
Hi @harhan, Terraform does not allow us to add features after the user runs "terraform apply" and that is why we create post apply script. We will add a post apply script for "discard" and then you will be able to discard the changes after running apply if you ran into errors.
Thank you, Alon
Do you know how to run this command in Terraform Cloud?
Hi @harhan , We added a discard post apply script on the new provider's version, which is available now. Hope it will be helpful in this issue.
Thank you
When applying a terraform, if parts of it fails, the already successfully applied configuration is committed to the state, while the session isn't published to the SmartCenter/MDS (database). To get synchronisation between the state and database one has to manually publish the session.
Desired outcome: If a terraform fails, rollback the configuration in the database (discard) as well and disconnect the API session gracefully.
PS! This can cause issues when provisioning gateways (SIC is a one time procedure). Though most terraform jobs are configuring rules and objects, so it is better to make a note in the documentation regarding resources that are "one shot".