checkpoint_management_group - cannot delete host

alexproca — Tue, 03 Jan 2023 18:50:06 GMT

Hello all,

using checkpoint_management_host with a for_each loop to iterate over a local nested map and create hosts.
using checkpoint_management_group to create a group and in members, add the values of the hosts i've just created.

Works fine when i create hosts, but when I remove them(from the map), terraform tries to delete the host before removing it from the group. CP API is then giving an error that it can't delete an used object.

The destroy happens before the update-in-place and the only way to change that is to use create_before_destroy but then I run into other issues with publishing/installing policies, because those use destroy and then create replacement.

Tried adding the replace_triggered_by to the group, but still it does update-in-place.

Any ideas how to solve this ?

Code:

``
locals {
clients = {
"client_1" = {
remote_ip = "10.100.200.1"
remote_port = "3001"
}
"client_2" = {
remote_ip = "10.100.200.2"
remote_port = "3002"
}
"client_3" = {
remote_ip = "10.100.200.3"
remote_port = "3003"
}
}
}

resource "checkpoint_management_host" "hosts_lab" {
for_each = local.clients
name = "host_${each.key}"
ipv4_address = each.value["remote_ip"]
ignore_warnings = true
nat_settings = {}
tags = []
lifecycle {
precondition {
condition = can(cidrsubnet("${each.value["remote_ip"]}/32",0,0))
error_message = "Must be valid IPv4 Address."
}
}

}

resource "checkpoint_management_group" "groups_lab" {
name = "group_terraformed"
members = values(checkpoint_management_host.hosts_lab)[*].name
ignore_warnings = true
depends_on = [ checkpoint_management_host.hosts_lab]
lifecycle {
replace_triggered_by = [checkpoint_management_host.hosts_lab ]
}
}

resource "checkpoint_management_service_tcp" "tcp_service" {
for_each = local.clients
name = "tcp_${each.key}"
port = "${each.value.remote_port}"
session_timeout = 3600
match_for_any = true
sync_connections_on_cluster = true
ignore_warnings = true
aggressive_aging = {
enable = true
timeout = 360
use_default_timeout = false
}
keep_connections_open_after_policy_installation = true
tags = []
lifecycle {
precondition {
condition = (
each.value["remote_port"] >= 1000 &&
each.value["remote_port"] <= 65000
)
error_message = "Port number must be between 1000 and 65000"
}
}

}

resource "checkpoint_management_access_rule" "in-policy-FWL_VS1" {
for_each = local.clients
name = "${each.key}"
layer = "FWLVS1_policy Network"
position = { top = "top" }
source = ["existing_group"]
destination = ["host_${each.key}"]
service = ["tcp_${each.key}"]
action = "Accept"
track = {
accounting = true
type = "Log"
per_connection = "true"
}
depends_on = [ checkpoint_management_host.hosts_lab, checkpoint_management_service_tcp.tcp_service ]
action_settings = {
enable_identity_captive_portal = false
}
content = []
custom_fields = {}
time = []
}

resource "checkpoint_management_access_rule" "in-policy-FWL_VS2" {
for_each = local.clients
name = "${each.key}"
layer = "FWLVS2_policy Network"
position = { top = "top" }
source = ["existing_group"]
destination = ["host_${each.key}"]
service = ["tcp_${each.key}"]
action = "Accept"
track = {
accounting = true
type = "Log"
per_connection = "true"
}
depends_on = [ checkpoint_management_host.hosts_lab, checkpoint_management_service_tcp.tcp_service ]
action_settings = {
enable_identity_captive_portal = false
}
content = []
custom_fields = {}
time = []
}

resource "checkpoint_management_publish" "unstable_lab" {
triggers = toset([sha1(jsonencode([
checkpoint_management_host.hosts_lab,
checkpoint_management_access_rule.in-policy-FWL_VS1,
checkpoint_management_access_rule.in-policy-FWL_VS2,
checkpoint_management_service_tcp.tcp_service,
]))])
depends_on = [checkpoint_management_host.hosts_lab, checkpoint_management_access_rule.in-policy-FWL_VS1, checkpoint_management_access_rule.in-policy-FWL_VS2, checkpoint_management_service_tcp.tcp_service]
}

resource "checkpoint_management_install_policy" "FWL_VS1" {
policy_package = "FWLVS1_policy"
targets = ["FWLVS1"]
triggers = toset([sha1(jsonencode([
checkpoint_management_host.hosts_lab,
checkpoint_management_access_rule.in-policy-FWL_VS1,
checkpoint_management_access_rule.in-policy-FWL_VS2,
checkpoint_management_service_tcp.tcp_service,
]))])
depends_on = [checkpoint_management_host.hosts_lab, checkpoint_management_access_rule.in-policy-FWL_VS1, checkpoint_management_access_rule.in-policy-FWL_VS2, checkpoint_management_service_tcp.tcp_service, checkpoint_management_publish.unstable_lab ]
}

resource "checkpoint_management_install_policy" "FWL_VS2" {
policy_package = "FWLVS2_policy"
targets = ["FWLVS2"]
triggers = toset([sha1(jsonencode([
checkpoint_management_host.hosts_lab,
checkpoint_management_access_rule.in-policy-FWL_VS1,
checkpoint_management_access_rule.in-policy-FWL_VS2,
checkpoint_management_service_tcp.tcp_service,
]))])
depends_on = [checkpoint_management_host.hosts_lab, checkpoint_management_access_rule.in-policy-FWL_VS1, checkpoint_management_access_rule.in-policy-FWL_VS2, checkpoint_management_service_tcp.tcp_service, checkpoint_management_publish.unstable_lab, checkpoint_management_install_policy.FWL_VS1 ]
}

resource "checkpoint_management_logout" "unstable_lab" {
triggers = ["${timestamp()}"]
depends_on = [checkpoint_management_host.hosts_lab, checkpoint_management_access_rule.in-policy-FWL_VS1, checkpoint_management_access_rule.in-policy-FWL_VS2, checkpoint_management_service_tcp.tcp_service, checkpoint_management_publish.unstable_lab, checkpoint_management_install_policy.FWL_VS1, checkpoint_management_install_policy.FWL_VS2]
}

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
~ update in-place
- destroy
-/+ destroy and then create replacement
Terraform will perform the following actions:

checkpoint_management_access_rule.in-policy-FWL_VS1["client_3"] will be destroyed

(because key ["client_3"] is not in for_each map)

resource "checkpoint_management_access_rule" "in-policy-FWL_VS1" {
- action = "Accept" -> null
- action_settings = {
  - "enable_identity_captive_portal" = "false"
    } -> null
- content = [] -> null
- content_direction = "any" -> null
- content_negate = false -> null
- custom_fields = {} -> null
- destination = [
  - "host_client_3",
    ] -> null
- destination_negate = false -> null
- enabled = true -> null
- id = "60df76ab-952c-4a81-9242-f811fc712003" -> null
- ignore_errors = false -> null
- ignore_warnings = false -> null
- install_on = [] -> null
- layer = "FWL-BE-DMZINT_policy Network" -> null
- name = "client_3" -> null
- position = {
  - "top" = "top"
    } -> null
- service = [
  - "tcp_client_3",
    ] -> null
- service_negate = false -> null
- source = [
  - "existing_group",
    ] -> null
- source_negate = false -> null
- time = [] -> null
- track = {
  - "accounting" = "true"
  - "per_connection" = "true"
  - "type" = "Log"
    } -> null
- vpn = "Any" -> null
  }

checkpoint_management_access_rule.in-policy-FWL_VS2["client_3"] will be destroyed

(because key ["client_3"] is not in for_each map)

resource "checkpoint_management_access_rule" "in-policy-FWL_VS2" {
- action = "Accept" -> null
- action_settings = {
  - "enable_identity_captive_portal" = "false"
    } -> null
- content = [] -> null
- content_direction = "any" -> null
- content_negate = false -> null
- custom_fields = {} -> null
- destination = [
  - "host_client_3",
    ] -> null
- destination_negate = false -> null
- enabled = true -> null
- id = "0fee58d6-0f04-43c7-96eb-4acdddbccc43" -> null
- ignore_errors = false -> null
- ignore_warnings = false -> null
- install_on = [] -> null
- layer = "FWL-BE-DMZPRV_policy Network" -> null
- name = "client_3" -> null
- position = {
  - "top" = "top"
    } -> null
- service = [
  - "tcp_client_3",
    ] -> null
- service_negate = false -> null
- source = [
  - "existing_group",
    ] -> null
- source_negate = false -> null
- time = [] -> null
- track = {
  - "accounting" = "true"
  - "per_connection" = "true"
  - "type" = "Log"
    } -> null
- vpn = "Any" -> null
  }

checkpoint_management_group.groups_lab will be updated in-place

~ resource "checkpoint_management_group" "groups_lab" {
id = "cb645dd5-5221-445a-ab4b-d12d8bab0a61"
~ members = [
- "host_client_3",
# (2 unchanged elements hidden)
]
name = "group_terraformed"
tags = []
# (3 unchanged attributes hidden)
}

checkpoint_management_host.hosts_lab["client_3"] will be destroyed

(because key ["client_3"] is not in for_each map)

resource "checkpoint_management_host" "hosts_lab" {
- color = "black" -> null
- id = "c2605a4c-6800-4654-909c-f98b7e3fe1d0" -> null
- ignore_errors = false -> null
- ignore_warnings = true -> null
- ipv4_address = "10.100.200.3" -> null
- name = "host_client_3" -> null
- nat_settings = {} -> null
- tags = [] -> null
  }

checkpoint_management_install_policy.FWL_VS1 must be replaced

-/+ resource "checkpoint_management_install_policy" "FWL_VS1" {
~ id = "install-policy-nrqihmvykd" -> (known after apply)
~ task_id = "1ccf9d30-b246-43f4-8ce8-1c8cc2b5bb49" -> (known after apply)
~ triggers = [ # forces replacement
+ "00634fa4a304ad78e0d01badc15de0e3859b95e1",
- "b9d1295431895bedb0005b1b1a877bed2f451200",
]
# (4 unchanged attributes hidden)
}

checkpoint_management_install_policy.FWL_VS2 must be replaced

-/+ resource "checkpoint_management_install_policy" "FWL_VS2" {
~ id = "install-policy-br8oh3nykd" -> (known after apply)
~ task_id = "95c7efda-2ac7-48ed-a72f-235fa835e0d8" -> (known after apply)
~ triggers = [ # forces replacement
+ "00634fa4a304ad78e0d01badc15de0e3859b95e1",
- "b9d1295431895bedb0005b1b1a877bed2f451200",
]
# (4 unchanged attributes hidden)
}

checkpoint_management_logout.unstable_lab must be replaced

-/+ resource "checkpoint_management_logout" "unstable_lab" {
~ id = "logout-ypdyzdj9kg" -> (known after apply)
~ triggers = [
- "2023-01-03T18:20:43Z",
] -> (known after apply) # forces replacement
}

checkpoint_management_publish.unstable_lab must be replaced

-/+ resource "checkpoint_management_publish" "unstable_lab" {
~ id = "publish-vgndg6ldby" -> (known after apply)
~ task_id = "01234567-89ab-cdef-8d12-8c39b51d80ed" -> (known after apply)
~ triggers = [ # forces replacement
+ "00634fa4a304ad78e0d01badc15de0e3859b95e1",
- "b9d1295431895bedb0005b1b1a877bed2f451200",
]
}

checkpoint_management_service_tcp.tcp_service["client_3"] will be destroyed

(because key ["client_3"] is not in for_each map)

resource "checkpoint_management_service_tcp" "tcp_service" {
- aggressive_aging = {
  - "enable" = "true"
  - "timeout" = "360"
  - "use_default_timeout" = "false"
    } -> null
- color = "black" -> null
- id = "6fe11bfc-2659-47f8-a04e-80fec5593c50" -> null
- ignore_errors = false -> null
- ignore_warnings = true -> null
- keep_connections_open_after_policy_installation = true -> null
- match_by_protocol_signature = false -> null
- match_for_any = true -> null
- name = "tcp_client_3" -> null
- override_default_settings = false -> null
- port = "3003" -> null
- session_timeout = 3600 -> null
- sync_connections_on_cluster = true -> null
- tags = [] -> null
- use_default_session_timeout = true -> null
  }
  Plan: 4 to add, 1 to change, 8 to destroy.
  checkpoint_management_logout.unstable_lab: Destroying... [id=logout-ypdyzdj9kg]
  checkpoint_management_logout.unstable_lab: Destruction complete after 0s
  checkpoint_management_install_policy.FWL_VS2: Destroying... [id=install-policy-br8oh3nykd]
  checkpoint_management_install_policy.FWL_VS2: Destruction complete after 0s
  checkpoint_management_install_policy.FWL_VS1: Destroying... [id=install-policy-nrqihmvykd]
  checkpoint_management_install_policy.FWL_VS1: Destruction complete after 0s
  checkpoint_management_publish.unstable_lab: Destroying... [id=publish-vgndg6ldby]
  checkpoint_management_publish.unstable_lab: Destruction complete after 0s
  checkpoint_management_access_rule.in-policy-FWL_VS1["client_3"]: Destroying... [id=60df76ab-952c-4a81-9242-f811fc712003]
  checkpoint_management_access_rule.in-policy-FWL_VS2["client_3"]: Destroying... [id=0fee58d6-0f04-43c7-96eb-4acdddbccc43]
  checkpoint_management_access_rule.in-policy-FWL_VS1["client_3"]: Destruction complete after 0s
  checkpoint_management_access_rule.in-policy-FWL_VS2["client_3"]: Destruction complete after 0s
  checkpoint_management_host.hosts_lab["client_3"]: Destroying... [id=c2605a4c-6800-4654-909c-f98b7e3fe1d0]
  checkpoint_management_service_tcp.tcp_service["client_3"]: Destroying... [id=6fe11bfc-2659-47f8-a04e-80fec5593c50]
  checkpoint_management_service_tcp.tcp_service["client_3"]: Destruction complete after 0s
  ╷
  │ Error: failed to execute API call
  │ Status: 400 Bad Request
  │ Code: err_validation_failed
  │ Message: Validation failed with 1 warning
  │ Warnings:
  │ 1. Object host_client_3 is used by the following objects: group_terraformed
  │
  │
  ╵
  Cleaning up project directory and file based variables
  00:00
  ERROR: Job failed: exit code 1

Re: checkpoint_management_group - cannot delete host

alexproca — Thu, 05 Jan 2023 09:48:18 GMT

Another note, I tried ignore_warnings/errors but it did not work also, the checkpoint api/gui does not allow you to delete a host that is part of a group.

Re: checkpoint_management_group - cannot delete host

PhoneBoy — Thu, 05 Jan 2023 13:10:51 GMT

What is the version/JHF of management?
What does a where-used on the relevant object show?

Re: checkpoint_management_group - cannot delete host

the_rock — Thu, 05 Jan 2023 14:09:40 GMT

I once had hell of a time with trying to delete identity provider object that was referenced with a specific gateway. I must have spent close to 3 hours with TAC on the phone until we finally got it...had to re-log back into Guidbedit close to 20 times and remove every single reference of it.I hope your case is not going to be like mine, but Gudbedit is always good place to start, because once removed from database, you will not have any issues with smart console.

Re: checkpoint_management_group - cannot delete host

alexproca — Fri, 06 Jan 2023 08:45:20 GMT

HOTFIX_R81_10_JUMBO_HF_MAIN Take: 66

The relevant object showed up in the group I created with terraform. Process.

1. create host x with terraform

2. create group y with members host x with terraform

at this point host x was used in group y.

3. when trying to delete host x, terraform does two things:
3a. delete: host x
3b. update-in-place: remove host x from group y

Since terraform is trying to do 3a before 3b, API gives error that the group is used.

Re: checkpoint_management_group - cannot delete host

alexproca — Fri, 06 Jan 2023 14:16:51 GMT

It's a terraform provider problem, not a management or api problem.
Also posted this on the provider github page and a developer acknowledged the bug and promised to solve in the next release.

https://github.com/CheckPointSW/terraform-provider-checkpoint/issues/135
The version i tried is v2.1.0 so look for the bug fix in the release notes of future versions.

topic Re: checkpoint_management_group - cannot delete host in DevSecOps

checkpoint_management_group - cannot delete host

checkpoint_management_access_rule.in-policy-FWL_VS1["client_3"] will be destroyed

(because key ["client_3"] is not in for_each map)

checkpoint_management_access_rule.in-policy-FWL_VS2["client_3"] will be destroyed

(because key ["client_3"] is not in for_each map)

checkpoint_management_group.groups_lab will be updated in-place

checkpoint_management_host.hosts_lab["client_3"] will be destroyed

(because key ["client_3"] is not in for_each map)

checkpoint_management_install_policy.FWL_VS1 must be replaced

checkpoint_management_install_policy.FWL_VS2 must be replaced

checkpoint_management_logout.unstable_lab must be replaced

checkpoint_management_publish.unstable_lab must be replaced

checkpoint_management_service_tcp.tcp_service["client_3"] will be destroyed

(because key ["client_3"] is not in for_each map)

Re: checkpoint_management_group - cannot delete host

Re: checkpoint_management_group - cannot delete host

Re: checkpoint_management_group - cannot delete host

Re: checkpoint_management_group - cannot delete host

Re: checkpoint_management_group - cannot delete host