Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Harald_Hansen
Collaborator

CheckPoint Terraform Provider; Lack of "glue"

When using Terraform one depends on the provider to give feedback on created resources.

For instance, if I create a policy package with "checkpoint_management_package" I cannot get any ID on neither the policy package itself, nor the checkpoint_management_access_layer. Without that information I cannot create the rules for this layer in that terraform if I have multiple policy packages in the domain/smartcenter.

There is no way to add a layer to any policy either, which is the preferred way; create an empty policy package, then add the access layer as a separate operation.

Every resource has to have some UID, unique name or other way of referencing it dynamically.

This lack of glue makes it impossible to create a single terraform.

Example:

 

 

resource "checkpoint_management_package" "cloudPolicy" {
  name = "cloudPolicy"
  comments = "Automated by Terraform"
  threat_prevention = false
  access = false
}

resource "checkpoint_management_access_layer" "cloudLayer" {
  name = "cloudLayer"
  package = checkpoint_management_package.uid
  ...
}

resource "checkpoint_management_access_rule" "cloudRule1" {
  layer = checkpoint_management_access_layer.cloudLayer.uid
  position = {top = "top"}
  name = "test1"
}

 

 

Without the UID I cannot glue together the TF above.

I suggest you take a look at a relatively mature provider, like azurerm, for inspiration. I can write large terraforms without relying on depends_on, which is bad practice, and there are multiple options for creating resources.

0 Replies