Terraform - how to add new host or network objects to existing group

Peter_Janum_Sod — Tue, 04 May 2021 13:09:57 GMT

Hi CheckMates.

We are investigating the possibilities for using Terraform integration to automate management of firewall policies, and we are running into an unexpected issue.

It is relatively straight forward to prepare Check Point management and Terraform to work together, and we can create and modify new objects, add new hosts and network objects to new groups etc. The issue is, that it is only possible to mange objects created by Terraform, and not existing objects.

Our use case is, that we will create a simple group with SmartConsole and use this object in a firewall rule. With Terraform we will create new host or network objects and add these to the existing group. This is not working, and it looks like a problem with UUID's for the objects.

We are using the checkpoint provider for terraform (https://registry.terraform.io/providers/CheckPointSW/checkpoint/latest).

What have we tried out:

Experimenting with the checkpoint provider, reading the provider documentation & code and the API documentation, we tried out following terraform configuration:

terraform {

required_providers {

checkpoint = {

version = ">=1.4.0"

source = "CheckPointSW/checkpoint"

}

"checkpoint" {

server = ""

username = ""

password = ""

context = "web_api"

}

resource "checkpoint_management_network" "service_subnet1" {

name = "net-192.168.2.0-m24"

subnet4 = "198.168.2.0"

mask_length4 = 24

}

resource "checkpoint_management_network" "service_subnet2" {

name = "net-192.168.3.0-m24"

subnet4 = "198.168.3.0"

mask_length4 = 24

}

resource "checkpoint_management_group" "group" {

name = "terraformtestgroup" # We would like to create this group directly in checkpoint, and update it using terraform

members = [ checkpoint_management_network.service_subnet1.name, checkpoint_management_network.service_subnet2.name ]

}

Then we run publish using the provided excutable to publish the session.

Can anybody out there suggest a solution to our issue? Or do anyone know who in Check Point to contact for Terraform issues?

Thanks in advance 🙂

Peter Sode

Dubex, Denmark

Re: Terraform - how to add new host or network objects to existing group

Jonas_Rosenboom — Wed, 05 May 2021 13:33:25 GMT

Hi Peter,

You can't manage resources in Terraform that aren't created by Terraform, unless you import them first.

Have a look at https://www.terraform.io/docs/cli/import/index.html to import the existing group to be managed by Terraform after being created "by other means". The lifecycle argument `prevent_destroy` can be used to safeguard against accidental deletion of the group (https://www.terraform.io/docs/language/meta-arguments/lifecycle.html#prevent_destroy).

Having external unmanaged dependencies can be an acceptable temporary solution while you transition your infrastructure to Terraform if you are planning to eventually have everything in Terraform.

Depending on your overall use-cases, the scenario you are describing here could be a great candidate for a generic DC object as well - Generic Data Center Object. This could be as simple as updating a hosted JSON file with a template from inside Terraform. This has the additional benefit that it updates without requiring a policy installation.

The other option that might be interesting is our integration with Hashicorp Consul: https://github.com/CheckPointSW/terraform-checkpoint-dynobj-nia

topic Terraform - how to add new host or network objects to existing group in API / CLI Discussion

Terraform - how to add new host or network objects to existing group

Re: Terraform - how to add new host or network objects to existing group