topic Re: mgmt_enable_api = "all" don't work anymore in my terraform deployment in API / CLI Discussion

mgmt_enable_api = "all" don't work anymore in my terraform deployment

Antonio_Opromol — Fri, 09 Feb 2024 13:00:26 GMT

Hi, I'm having problems with the deployment with Terraform on Azure of new Management Servers which do not enable web api for all IP addresses despite the mgmt_enable_api = "all" parameter being set. This can also be done using one of the ready-made test modules on your GitHub repositories.
The strange thing is that until a few days ago this setting worked correctly and it was possible to connect via web-api. Has anyone had the same problem?

Re: mgmt_enable_api = "all" don't work anymore in my terraform deployment

Bob_Zimmerman — Fri, 09 Feb 2024 14:55:52 GMT

The set api-settings call only accepts special values. Try "all ip addresses".

Re: mgmt_enable_api = "all" don't work anymore in my terraform deployment

Antonio_Opromol — Fri, 09 Feb 2024 19:46:58 GMT

I'm using Terraform and pass the parameters of the Management during deployment as follow

custom_data = templatefile("${path.module}/cloud-init.sh", {
installation_type = var.installation_type_mgmt
allow_upload_download = var.allow_upload_download
os_version = var.os_version
template_name = var.template_name
template_version = var.template_version
template_type = var.template_type
is_blink = var.is_blink
bootstrap_script64 = base64encode(var.bootstrap_script)
location = azurerm_resource_group.mainmgmt.location
management_GUI_client_network = var.management_GUI_client_network
enable_api = var.mgmt_enable_api
admin_shell = var.admin_shell
serial_console_password_hash = var.serial_console_password_hash
maintenance_mode_password_hash = var.maintenance_mode_password_hash
})

Until 2-3 days ago worked well with enable_api = "all".

Now seems that this value is no more able to set the value to all ip addresses.

I've already tried with "all ip addresses" and "All", but noting now change and when I try to connect as follow

# Connecting to ckpmgmt
provider "checkpoint" {
server = tostring(local.mgmt_pubip_real)
username = var.default_admin_username_gaia
password = var.admin_password_mgmt
context = var.provider-context
timeout = "180"
}

with context = "web_api" I receive the error that the connection is not possible because is not setted "all ip addresses" infact with SmartConsole I see that is set to accept api connections only from management.

For the test I've used the code from the following gihub repository: https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/azure/management-new-vnet

Re: mgmt_enable_api = "all" don't work anymore in my terraform deployment

PhoneBoy — Sat, 10 Feb 2024 01:21:17 GMT

If the API is not configured to allow access from the relevant IP, anything relying on the API will fail.
This means you need to fix this issue in SmartConsole before attempting to use Terraform.

Re: mgmt_enable_api = "all" don't work anymore in my terraform deployment

Antonio_Opromol — Sat, 10 Feb 2024 09:34:45 GMT

I know, but why until fee days ago during the vm creation with the cloud-init parametrrs passed as arguments worked?

Re: mgmt_enable_api = "all" don't work anymore in my terraform deployment

Antonio_Opromol — Sat, 10 Feb 2024 16:36:32 GMT

If I look in cloud_configure_azure_instance.py file on the management server instance deployed (R81.20) I see are defined the function to enable api on management and set the access permission:

def accepted_api_calls_from_allowed_value(self, enable_api_to):
"""#TODO fixDocstring"""
switcher = {
object_to_str(EnableApiAllowedValues.ALL):
EnableApiToCommand.ALL,
object_to_str(EnableApiAllowedValues.MANAGEMENT_ONLY):
EnableApiToCommand.
MANAGEMENT_ONLY,
object_to_str(EnableApiAllowedValues.GUI_CLIENTS):
EnableApiToCommand.
GUI_CLIENTS
}
return (switcher.get(enable_api_to))

def run_enable_api_commands(self, enable_api_to):
"""#TODO fixDocstring"""
accepted_api_calls_from = object_to_str(
self.accepted_api_calls_from_allowed_value(
enable_api_to.lower()))
enable_api_commands = ['api start',
'mgmt_cli -r true set-api-settings '
'accepted-api-calls-from "{}" --domain '
'\'System Data\''.format(
accepted_api_calls_from),
'api reconf']
for command in enable_api_commands:
try:
out, status = run_cmd(command)
except Exception as e:
log('{}'.format(e), level=logging.ERROR)

def enable_api(self):
"""#TODO fixDocstring"""
enable_api_to = self.template_vars[ENABLE_API]
is_valid_value = enable_api_to.lower() in (value.lower() for
value in
ENABLE_API_ALLOW_VALUES)
if is_valid_value:
self.run_enable_api_commands(enable_api_to)
else:
log(
"-- Error message: invalid value for 'enableApi' parameter. "
"The invalid value {} should be replaced by one of the "
"following values: {} or 'disable'.".format(
enable_api_to, ENABLE_API_ALLOW_VALUES),
level=logging.ERROR)

def enable_api_if_needed(self):
"""#TODO fixDocstring"""
enable_api = self.template_vars.get(ENABLE_API)
if not enable_api or enable_api == EnableApiAllowedValues.DISABLE:
pass
else:
self.enable_api()

In the file cloud_config_globals.py there are defined these two classes that confirm that I need to use the "all" value that is managed as "all ip addresses":

class EnableApiAllowedValues(set):
"""#TODO fixDocstring"""
DISABLE = "disable"
ALL = "all"
MANAGEMENT_ONLY = "management_only"
GUI_CLIENTS = "gui_clients"

class EnableApiToCommand(set):
"""#TODO fixDocstring"""
DISABLE = "disable"
ALL = "all ip addresses"
MANAGEMENT_ONLY = "management server only"
GUI_CLIENTS = "all ip addresses that can be used for gui clients"

So I need to understand why in my case the api are correctly enabled and started, but the access permissions are not set to any ip address despite the parameter is set to "all" but only in my latest days instead before was correctly setted to any and not to the default value "management server only".

Re: mgmt_enable_api = "all" don't work anymore in my terraform deployment

Antonio_Opromol — Sat, 10 Feb 2024 22:06:06 GMT

If I'm looking to the right scrypts, I see that the command used to set the api access is

mgmt_cli -r true set-api-settings '
'accepted-api-calls-from "{}" --domain '
'\'System Data\''.format(
accepted_api_calls_from)

But I can't execute this command on a non MDS management, as say the error if try to run this command manually. I think this is the problem, but I don't understand why before has worked.

Re: mgmt_enable_api = "all" don't work anymore in my terraform deployment

Antonio_Opromol — Tue, 13 Feb 2024 16:43:31 GMT

Solved, after debug I've found that the problem was due to a FTW that doesn't accept my hash password for serial and maintenance, so passing an empty string the FWA finish correctly and the api access are set correctly to any ip address.