Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ninixclub
Explorer

Manage security policies via Terraform

Hello

I try to manage our security policies via Terraform but I have few questions :

Question 1 : 

For each object created are we oblige to use a dedicated publish resource (object in publish resource dependency) or is it possible to use a generic publish ressource ? -> In order to publish all objects created before without dependency

Question 2:

After an object creation if I would like to delete it whait is the correct methode ? I tried to delete uts configuration in tf file and remove the dependency in publish ressource but it doesn't work. If I see in the management server this object is locked (not deleted)

Question 3 : 

I add at the end of my tf file the install Policy resource ! It works well but only for the first terraform Apply ! I think it's normal because after terraform that thre is no change about this resource then it dont do anything. 

In this case do you have a solution in order to be sure that policy will be installed for each time that we launch a terraform apply ?

0 Kudos
13 Replies
Miguel_Villarr1
Participant

Here is a solution using Terraform and Check Point that might meet your needs. STRUCTURA.IO/Terraform/Check Point 

0 Kudos
ninixclub
Explorer

Hello thanks four your feeback but my goal is to use natively terraform without add (for the moment) a new product.

We work on a POC in oder to choose our futur Fw technologie and terraform is still used to pilot our premise infrastructure (for example : hypervisor, SDN, Loadbalancer etc ...)

So for us is mandatory that Terraform manage help us to manage security equipements and also the access control.

That the reason of my questions !

Please I need some answers or links in order to progress in my POC.

0 Kudos
Stuart_Green1
Employee
Employee

For q1, I think you can use a timestamp trigger within the publish resource so if it's different - it always gets 'created' when  you run terraform apply. The timestamp string will always be different whenever you run a tf apply, so *should* always trigger that resource to fire. 

q2 - not so sure on this one I'm afraid. The way to delete a resource with terraform is to remove the config. Then with terraform plan / apply you'll see that section appear with a "-" showing that it will be removed. It might be linked to your publish action not being triggered every time. The timestamp option for q1 might fix this too.

q3 - same as for q1, try a timestamp entry as a trigger to make sure it always gets recreated.

0 Kudos
ninixclub
Explorer

It's a very good idea to use timestamp trigger within the publish resource but after serverals tests I unfortunatly didn't find a good configuration!

So if you can provide me an example it will be wonderfull 🙂

Regards

0 Kudos
Stuart_Green1
Employee
Employee

something like...

 

resource "checkpoint_management_publish" "myPublishAction" {
  triggers = {
    time-stamp = "${timestamp()}"
  }
}

0 Kudos
ninixclub
Explorer

Hello

Thaks for your help 

 

I tested it but it doesn't work

Here the error message :

Error: Incorrect attribute value type

on mainv2.tf line 43, in resource "checkpoint_management_publish" "myPublishAction":
43: triggers = {
44: time-stamp = "${timestamp()}"
45: }

Inappropriate value for attribute "triggers": set of string required.

Regards

0 Kudos
Stuart_Green1
Employee
Employee

How about without the ‘=‘ after ‘triggers’ (trying to do this from memory and not knowing front of a computer 🙂 )

0 Kudos
ninixclub
Explorer

Hello

Sorry bit it doens't work also 🙂

Error: Unsupported block type

on mainv2.tf line 43, in resource "checkpoint_management_publish" "myPublishAction":
43: triggers {

Blocks of type "triggers" are not expected here. Did you mean to define
argument "triggers"? If so, use the equals sign to assign it a value.

 

Regards

0 Kudos
Stuart_Green1
Employee
Employee

ok, back at laptop now 🙂

 

Can you post your TF template please? No sensitive info of course.

0 Kudos
ninixclub
Explorer

Here one of tf file that I use for my tests in order to illustrate my issue

It works fine but just the first time after if I want to delete or add an object the publish and install resources is not executed during a terraform apply !

It's normal because for terraform these resouces have not been changed !

Thanks for your help

Regards 

 

variable "CHECKPOINT_SERVER" {}
variable "CHECKPOINT_USERNAME" {}
variable "CHECKPOINT_PASSWORD" {}
variable "CHECKPOINT_CONTEXT" {}

terraform {
required_providers {
checkpoint = {
source = "CheckPointSW/checkpoint"
version = "1.3.0"
}
}
}

provider "checkpoint" {
# Configuration options
server = var.CHECKPOINT_SERVER
username = var.CHECKPOINT_USERNAME
password = var.CHECKPOINT_PASSWORD
}

resource "checkpoint_management_host" "test1" {
name = "test1"
ipv4_address = "10.10.10.10"
color = "red"
}

resource "checkpoint_management_host" "test2" {
name = "test2"
ipv4_address = "10.10.10.20"
color = "red"
}

resource "checkpoint_management_publish" "publish_changes" {}

resource "checkpoint_management_install_policy" "install_fwtest" {
policy_package = "pol_test"
targets = ["fwtest"]
}

0 Kudos
Stuart_Green1
Employee
Employee

this works for the publish action and should work for the install action too:

 

resource "checkpoint_management_publish" "publish_changes" {
  triggers = ["${timestamp()}"]

}

 

I've tested the other uses you mentioned and the publish action kicks after every terraform apply action.

0 Kudos
Art_Zalenekas
Employee
Employee

True, but we had the triggers argument starting Check Point provider v1.2. Maybe that is the issue. What version are you running? I would highly recommend you run the latest provider version v1.3.

EDIT: I see that you are running provider v1.3. What is the version of Terraform you are running?
Also, triggers in the context of the publish resource is a key and type of a Set and not a dictionary. What @Stuart_Green1 posted is correct and works on my side as well.
https://github.com/CheckPointSW/terraform-provider-checkpoint/blob/master/checkpoint/resource_checkp...

https://registry.terraform.io/providers/CheckPointSW/checkpoint/latest/docs/resources/checkpoint_man...

 

0 Kudos
Art_Zalenekas
Employee
Employee

triggers is part of local-exec provisioner, as well as null-resource. You can run multiple provisioners, including local-exec provisioners. They are also conditional, which means they have the when statement as well to create logic on create/destroy Terraform plans.

  provisioner "local-exec" {
    triggers {
      command = "<command;command>"
    }
    when    = create
    command = "<command;command>"
  }

  provisioner "local-exec" {
    when    = destroy
    command = "<commands>
  }

 Look at null-resource as well.
https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource

 

0 Kudos