I'm using Terraform and pass the parameters of the Management during deployment as follow

custom_data = templatefile("${path.module}/cloud-init.sh", {
installation_type = var.installation_type_mgmt
allow_upload_download = var.allow_upload_download
os_version = var.os_version
template_name = var.template_name
template_version = var.template_version
template_type = var.template_type
is_blink = var.is_blink
bootstrap_script64 = base64encode(var.bootstrap_script)
location = azurerm_resource_group.mainmgmt.location
management_GUI_client_network = var.management_GUI_client_network
enable_api = var.mgmt_enable_api
admin_shell = var.admin_shell
serial_console_password_hash = var.serial_console_password_hash
maintenance_mode_password_hash = var.maintenance_mode_password_hash
})

Until 2-3 days ago worked well with enable_api = "all". 

Now seems that this value is no more able to set the value to all ip addresses.

I've already tried with "all ip addresses" and "All", but noting now change and when I try to connect as follow

# Connecting to ckpmgmt
provider "checkpoint" {
server = tostring(local.mgmt_pubip_real)
username = var.default_admin_username_gaia
password = var.admin_password_mgmt
context = var.provider-context
timeout = "180"
}

with context = "web_api" I receive the error that the connection is not possible because is not setted "all ip addresses" infact with SmartConsole I see that is set to accept api connections only from management.

For the test I've used the code from the following gihub repository: https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/azure/management-new-vnet

If the API is not configured to allow access from the relevant IP, anything relying on the API will fail.
This means you need to fix this issue in SmartConsole before attempting to use Terraform.

I know, but why until fee days ago during the vm creation with the cloud-init parametrrs passed as arguments worked?

If I look in cloud_configure_azure_instance.py file on the management server instance deployed (R81.20) I see are defined the function to enable api on management and set the access permission:

def accepted_api_calls_from_allowed_value(self, enable_api_to):
"""#TODO fixDocstring"""
switcher = {
object_to_str(EnableApiAllowedValues.ALL):
EnableApiToCommand.ALL,
object_to_str(EnableApiAllowedValues.MANAGEMENT_ONLY):
EnableApiToCommand.
MANAGEMENT_ONLY,
object_to_str(EnableApiAllowedValues.GUI_CLIENTS):
EnableApiToCommand.
GUI_CLIENTS
}
return (switcher.get(enable_api_to))

def run_enable_api_commands(self, enable_api_to):
"""#TODO fixDocstring"""
accepted_api_calls_from = object_to_str(
self.accepted_api_calls_from_allowed_value(
enable_api_to.lower()))
enable_api_commands = ['api start',
'mgmt_cli -r true set-api-settings '
'accepted-api-calls-from "{}" --domain '
'\'System Data\''.format(
accepted_api_calls_from),
'api reconf']
for command in enable_api_commands:
try:
out, status = run_cmd(command)
except Exception as e:
log('{}'.format(e), level=logging.ERROR)

def enable_api(self):
"""#TODO fixDocstring"""
enable_api_to = self.template_vars[ENABLE_API]
is_valid_value = enable_api_to.lower() in (value.lower() for
value in
ENABLE_API_ALLOW_VALUES)
if is_valid_value:
self.run_enable_api_commands(enable_api_to)
else:
log(
"-- Error message: invalid value for 'enableApi' parameter. "
"The invalid value {} should be replaced by one of the "
"following values: {} or 'disable'.".format(
enable_api_to, ENABLE_API_ALLOW_VALUES),
level=logging.ERROR)

def enable_api_if_needed(self):
"""#TODO fixDocstring"""
enable_api = self.template_vars.get(ENABLE_API)
if not enable_api or enable_api == EnableApiAllowedValues.DISABLE:
pass
else:
self.enable_api()

In the file cloud_config_globals.py there are defined these two classes that confirm that I need to use the "all" value that is managed as "all ip addresses":

class EnableApiAllowedValues(set):
"""#TODO fixDocstring"""
DISABLE = "disable"
ALL = "all"
MANAGEMENT_ONLY = "management_only"
GUI_CLIENTS = "gui_clients"

class EnableApiToCommand(set):
"""#TODO fixDocstring"""
DISABLE = "disable"
ALL = "all ip addresses"
MANAGEMENT_ONLY = "management server only"
GUI_CLIENTS = "all ip addresses that can be used for gui clients"

So I need to understand why in my case the api are correctly enabled and started, but the access permissions are not set to any ip address despite the parameter is set to "all" but only in my latest days instead before was correctly setted to any and not to the default value "management server only".

If I'm looking to the right scrypts, I see that the command used to set the api access is

mgmt_cli -r true set-api-settings '
'accepted-api-calls-from "{}" --domain '
'\'System Data\''.format(
accepted_api_calls_from)

But I can't execute this command on a non MDS management, as say the error if try to run this command manually. I think this is the problem, but I don't understand why before has worked.