Hello thanks four your feeback but my goal is to use natively terraform without add (for the moment) a new product.

We work on a POC in oder to choose our futur Fw technologie and terraform is still used to pilot our premise infrastructure (for example : hypervisor, SDN, Loadbalancer etc ...)

So for us is mandatory that Terraform manage help us to manage security equipements and also the access control.

That the reason of my questions !

Please I need some answers or links in order to progress in my POC.

For q1, I think you can use a timestamp trigger within the publish resource so if it's different - it always gets 'created' when  you run terraform apply. The timestamp string will always be different whenever you run a tf apply, so *should* always trigger that resource to fire. 

q2 - not so sure on this one I'm afraid. The way to delete a resource with terraform is to remove the config. Then with terraform plan / apply you'll see that section appear with a "-" showing that it will be removed. It might be linked to your publish action not being triggered every time. The timestamp option for q1 might fix this too.

q3 - same as for q1, try a timestamp entry as a trigger to make sure it always gets recreated.

It's a very good idea to use timestamp trigger within the publish resource but after serverals tests I unfortunatly didn't find a good configuration!

So if you can provide me an example it will be wonderfull 🙂

Regards

something like...

resource "checkpoint_management_publish" "myPublishAction" {
  triggers = {
    time-stamp = "${timestamp()}"
  }
}

Hello

Thaks for your help 

I tested it but it doesn't work

Here the error message :

Error: Incorrect attribute value type

on mainv2.tf line 43, in resource "checkpoint_management_publish" "myPublishAction":
43: triggers = {
44: time-stamp = "${timestamp()}"
45: }

Inappropriate value for attribute "triggers": set of string required.

Regards

How about without the ‘=‘ after ‘triggers’ (trying to do this from memory and not knowing front of a computer 🙂 )

Hello

Sorry bit it doens't work also 🙂

Error: Unsupported block type

on mainv2.tf line 43, in resource "checkpoint_management_publish" "myPublishAction":
43: triggers {

Blocks of type "triggers" are not expected here. Did you mean to define
argument "triggers"? If so, use the equals sign to assign it a value.

Regards

ok, back at laptop now 🙂

Can you post your TF template please? No sensitive info of course.

Here one of tf file that I use for my tests in order to illustrate my issue

It works fine but just the first time after if I want to delete or add an object the publish and install resources is not executed during a terraform apply !

It's normal because for terraform these resouces have not been changed !

Thanks for your help

Regards 

variable "CHECKPOINT_SERVER" {}
variable "CHECKPOINT_USERNAME" {}
variable "CHECKPOINT_PASSWORD" {}
variable "CHECKPOINT_CONTEXT" {}

terraform {
required_providers {
checkpoint = {
source = "CheckPointSW/checkpoint"
version = "1.3.0"
}
}
}

provider "checkpoint" {
# Configuration options
server = var.CHECKPOINT_SERVER
username = var.CHECKPOINT_USERNAME
password = var.CHECKPOINT_PASSWORD
}

resource "checkpoint_management_host" "test1" {
name = "test1"
ipv4_address = "10.10.10.10"
color = "red"
}

resource "checkpoint_management_host" "test2" {
name = "test2"
ipv4_address = "10.10.10.20"
color = "red"
}

resource "checkpoint_management_publish" "publish_changes" {}

resource "checkpoint_management_install_policy" "install_fwtest" {
policy_package = "pol_test"
targets = ["fwtest"]
}

this works for the publish action and should work for the install action too:

resource "checkpoint_management_publish" "publish_changes" {
  triggers = ["${timestamp()}"]

}

I've tested the other uses you mentioned and the publish action kicks after every terraform apply action.

True, but we had the triggers argument starting Check Point provider v1.2. Maybe that is the issue. What version are you running? I would highly recommend you run the latest provider version v1.3.

EDIT: I see that you are running provider v1.3. What is the version of Terraform you are running?
Also, triggers in the context of the publish resource is a key and type of a Set and not a dictionary. What @StuartGreen posted is correct and works on my side as well.
https://github.com/CheckPointSW/terraform-provider-checkpoint/blob/master/checkpoint/resource_checkp...

https://registry.terraform.io/providers/CheckPointSW/checkpoint/latest/docs/resources/checkpoint_man...

triggers is part of local-exec provisioner, as well as null-resource. You can run multiple provisioners, including local-exec provisioners. They are also conditional, which means they have the when statement as well to create logic on create/destroy Terraform plans.

  provisioner "local-exec" {
    triggers {
      command = "<command;command>"
    }
    when    = create
    command = "<command;command>"
  }

  provisioner "local-exec" {
    when    = destroy
    command = "<commands>
  }

 Look at null-resource as well.
https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource

Hey guys, I know this was a while back now it came up on another project I was working on recently. Extending on Art's answer - I think the most complete way to manage publish or install actions is using the helper utilities that come with the Check Point Terraform provider (https://github.com/CheckPointSW/terraform-provider-checkpoint/tree/master/commands). They're mention on the overview page but not in the context of how to use them in a TF module. 

First - you need install Go on the machine you're deploying from. Then, clone or download the code from the link above and change to the commands > publish directory. 

Run 'go build publish.go' and it will compile a binary in the current directory named 'publish'. Move this to a directory in your path and check it runs by running 'publish' (it will error, but that's fine at this point).

Then in your TF module, use this as a framework:

terraform {
  required_providers {
    checkpoint = {
      source = "CheckPointSW/checkpoint"
      version = "1.5.0"
    }
  }
}

provider "checkpoint" {
  server   = "YOUR.MGMT.IP.HERE"
  username = "YOURUSER"
  password = "YOURPASSWORD"
  context  = "web_api"
}


resource "checkpoint_management_host" host1 {
  name = "myhost1"
  ipv4_address = "10.20.30.40"
  color = "blue"
  provisioner "local-exec" {
  when    = destroy
  command = "publish"
}
}

resource "checkpoint_management_publish" pub1{
  depends_on = [ checkpoint_management_host.host1 ]
  triggers = [ timestamp() ]
}

You will also need to set environment variables CHECKPOINT_SERVER, CHECKPOINT_USERNAME and CHECKPOINT_PASSWORD for the publish command to connect to your management server.

The module above has a publish 'resource' with dependencies of the host. This makes sure that the publish action happens after the host is added and you'll need to add dependencies on policy elements if you want to have an embedded publish action like this.

For destroy actions - the local-exec provisioner within the host is called and executes the 'publish' binary which uses the session ID file in the Terraform module directory for the SID to publish. 

That's a lot of words for something which is actually pretty simple and in testing, works well!