Hello all,

1. using checkpoint_management_host with a for_each loop to iterate over a local nested map and create hosts.
2. using checkpoint_management_group to create a group and in members, add the values of the hosts i've just created.

Works fine when i create hosts, but when I remove them(from the map), terraform tries to delete the host before removing it from the group. CP API is then giving an error that it can't delete an used object.

The destroy happens before the update-in-place and the only way to change that is to use create_before_destroy but then I run into other issues with publishing/installing policies, because those use destroy and then create replacement.

Tried adding the replace_triggered_by to the group, but still it does update-in-place.

Any ideas how to solve this ?

Code:

``
locals {
clients = {
"client_1" = {
remote_ip = "10.100.200.1"
remote_port = "3001"
}
"client_2" = {
remote_ip = "10.100.200.2"
remote_port = "3002"
}
"client_3" = {
remote_ip = "10.100.200.3"
remote_port = "3003"
}
}
}

resource "checkpoint_management_host" "hosts_lab" {
for_each = local.clients
name = "host_${each.key}"
ipv4_address = each.value["remote_ip"]
ignore_warnings = true
nat_settings = {}
tags = []
lifecycle {
precondition {
condition = can(cidrsubnet("${each.value["remote_ip"]}/32",0,0))
error_message = "Must be valid IPv4 Address."
}
}

}

resource "checkpoint_management_group" "groups_lab" {
name = "group_terraformed"
members = values(checkpoint_management_host.hosts_lab)[*].name
ignore_warnings = true
depends_on = [ checkpoint_management_host.hosts_lab]
lifecycle {
replace_triggered_by = [checkpoint_management_host.hosts_lab ]
}
}

resource "checkpoint_management_service_tcp" "tcp_service" {
for_each = local.clients
name = "tcp_${each.key}"
port = "${each.value.remote_port}"
session_timeout = 3600
match_for_any = true
sync_connections_on_cluster = true
ignore_warnings = true
aggressive_aging = {
enable = true
timeout = 360
use_default_timeout = false
}
keep_connections_open_after_policy_installation = true
tags = []
lifecycle {
precondition {
condition = (
each.value["remote_port"] >= 1000 &&
each.value["remote_port"] <= 65000
)
error_message = "Port number must be between 1000 and 65000"
}
}

}

resource "checkpoint_management_access_rule" "in-policy-FWL_VS1" {
for_each = local.clients
name = "${each.key}"
layer = "FWLVS1_policy Network"
position = { top = "top" }
source = ["existing_group"]
destination = ["host_${each.key}"]
service = ["tcp_${each.key}"]
action = "Accept"
track = {
accounting = true
type = "Log"
per_connection = "true"
}
depends_on = [ checkpoint_management_host.hosts_lab, checkpoint_management_service_tcp.tcp_service ]
action_settings = {
enable_identity_captive_portal = false
}
content = []
custom_fields = {}
time = []
}

resource "checkpoint_management_access_rule" "in-policy-FWL_VS2" {
for_each = local.clients
name = "${each.key}"
layer = "FWLVS2_policy Network"
position = { top = "top" }
source = ["existing_group"]
destination = ["host_${each.key}"]
service = ["tcp_${each.key}"]
action = "Accept"
track = {
accounting = true
type = "Log"
per_connection = "true"
}
depends_on = [ checkpoint_management_host.hosts_lab, checkpoint_management_service_tcp.tcp_service ]
action_settings = {
enable_identity_captive_portal = false
}
content = []
custom_fields = {}
time = []
}

resource "checkpoint_management_publish" "unstable_lab" {
triggers = toset([sha1(jsonencode([
checkpoint_management_host.hosts_lab,
checkpoint_management_access_rule.in-policy-FWL_VS1,
checkpoint_management_access_rule.in-policy-FWL_VS2,
checkpoint_management_service_tcp.tcp_service,
]))])
depends_on = [checkpoint_management_host.hosts_lab, checkpoint_management_access_rule.in-policy-FWL_VS1, checkpoint_management_access_rule.in-policy-FWL_VS2, checkpoint_management_service_tcp.tcp_service]
}

resource "checkpoint_management_install_policy" "FWL_VS1" {
policy_package = "FWLVS1_policy"
targets = ["FWLVS1"]
triggers = toset([sha1(jsonencode([
checkpoint_management_host.hosts_lab,
checkpoint_management_access_rule.in-policy-FWL_VS1,
checkpoint_management_access_rule.in-policy-FWL_VS2,
checkpoint_management_service_tcp.tcp_service,
]))])
depends_on = [checkpoint_management_host.hosts_lab, checkpoint_management_access_rule.in-policy-FWL_VS1, checkpoint_management_access_rule.in-policy-FWL_VS2, checkpoint_management_service_tcp.tcp_service, checkpoint_management_publish.unstable_lab ]
}

resource "checkpoint_management_install_policy" "FWL_VS2" {
policy_package = "FWLVS2_policy"
targets = ["FWLVS2"]
triggers = toset([sha1(jsonencode([
checkpoint_management_host.hosts_lab,
checkpoint_management_access_rule.in-policy-FWL_VS1,
checkpoint_management_access_rule.in-policy-FWL_VS2,
checkpoint_management_service_tcp.tcp_service,
]))])
depends_on = [checkpoint_management_host.hosts_lab, checkpoint_management_access_rule.in-policy-FWL_VS1, checkpoint_management_access_rule.in-policy-FWL_VS2, checkpoint_management_service_tcp.tcp_service, checkpoint_management_publish.unstable_lab, checkpoint_management_install_policy.FWL_VS1 ]
}

resource "checkpoint_management_logout" "unstable_lab" {
triggers = ["${timestamp()}"]
depends_on = [checkpoint_management_host.hosts_lab, checkpoint_management_access_rule.in-policy-FWL_VS1, checkpoint_management_access_rule.in-policy-FWL_VS2, checkpoint_management_service_tcp.tcp_service, checkpoint_management_publish.unstable_lab, checkpoint_management_install_policy.FWL_VS1, checkpoint_management_install_policy.FWL_VS2]
}

``

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
~ update in-place
- destroy
-/+ destroy and then create replacement
Terraform will perform the following actions:

checkpoint_management_access_rule.in-policy-FWL_VS1["client_3"] will be destroyed

(because key ["client_3"] is not in for_each map)

• resource "checkpoint_management_access_rule" "in-policy-FWL_VS1" {
  • action = "Accept" -> null
  • action_settings = {
    • "enable_identity_captive_portal" = "false"
      } -> null
  • content = [] -> null
  • content_direction = "any" -> null
  • content_negate = false -> null
  • custom_fields = {} -> null
  • destination = [
    • "host_client_3",
      ] -> null
  • destination_negate = false -> null
  • enabled = true -> null
  • id = "60df76ab-952c-4a81-9242-f811fc712003" -> null
  • ignore_errors = false -> null
  • ignore_warnings = false -> null
  • install_on = [] -> null
  • layer = "FWL-BE-DMZINT_policy Network" -> null
  • name = "client_3" -> null
  • position = {
    • "top" = "top"
      } -> null
  • service = [
    • "tcp_client_3",
      ] -> null
  • service_negate = false -> null
  • source = [
    • "existing_group",
      ] -> null
  • source_negate = false -> null
  • time = [] -> null
  • track = {
    • "accounting" = "true"
    • "per_connection" = "true"
    • "type" = "Log"
      } -> null
  • vpn = "Any" -> null
    }

checkpoint_management_access_rule.in-policy-FWL_VS2["client_3"] will be destroyed

(because key ["client_3"] is not in for_each map)

• resource "checkpoint_management_access_rule" "in-policy-FWL_VS2" {
  • action = "Accept" -> null
  • action_settings = {
    • "enable_identity_captive_portal" = "false"
      } -> null
  • content = [] -> null
  • content_direction = "any" -> null
  • content_negate = false -> null
  • custom_fields = {} -> null
  • destination = [
    • "host_client_3",
      ] -> null
  • destination_negate = false -> null
  • enabled = true -> null
  • id = "0fee58d6-0f04-43c7-96eb-4acdddbccc43" -> null
  • ignore_errors = false -> null
  • ignore_warnings = false -> null
  • install_on = [] -> null
  • layer = "FWL-BE-DMZPRV_policy Network" -> null
  • name = "client_3" -> null
  • position = {
    • "top" = "top"
      } -> null
  • service = [
    • "tcp_client_3",
      ] -> null
  • service_negate = false -> null
  • source = [
    • "existing_group",
      ] -> null
  • source_negate = false -> null
  • time = [] -> null
  • track = {
    • "accounting" = "true"
    • "per_connection" = "true"
    • "type" = "Log"
      } -> null
  • vpn = "Any" -> null
    }

checkpoint_management_group.groups_lab will be updated in-place

~ resource "checkpoint_management_group" "groups_lab" {
id = "cb645dd5-5221-445a-ab4b-d12d8bab0a61"
~ members = [
- "host_client_3",
# (2 unchanged elements hidden)
]
name = "group_terraformed"
tags = []
# (3 unchanged attributes hidden)
}

checkpoint_management_host.hosts_lab["client_3"] will be destroyed

(because key ["client_3"] is not in for_each map)

• resource "checkpoint_management_host" "hosts_lab" {
  • color = "black" -> null
  • id = "c2605a4c-6800-4654-909c-f98b7e3fe1d0" -> null
  • ignore_errors = false -> null
  • ignore_warnings = true -> null
  • ipv4_address = "10.100.200.3" -> null
  • name = "host_client_3" -> null
  • nat_settings = {} -> null
  • tags = [] -> null
    }

checkpoint_management_install_policy.FWL_VS1 must be replaced

-/+ resource "checkpoint_management_install_policy" "FWL_VS1" {
~ id = "install-policy-nrqihmvykd" -> (known after apply)
~ task_id = "1ccf9d30-b246-43f4-8ce8-1c8cc2b5bb49" -> (known after apply)
~ triggers = [ # forces replacement
+ "00634fa4a304ad78e0d01badc15de0e3859b95e1",
- "b9d1295431895bedb0005b1b1a877bed2f451200",
]
# (4 unchanged attributes hidden)
}

checkpoint_management_install_policy.FWL_VS2 must be replaced

-/+ resource "checkpoint_management_install_policy" "FWL_VS2" {
~ id = "install-policy-br8oh3nykd" -> (known after apply)
~ task_id = "95c7efda-2ac7-48ed-a72f-235fa835e0d8" -> (known after apply)
~ triggers = [ # forces replacement
+ "00634fa4a304ad78e0d01badc15de0e3859b95e1",
- "b9d1295431895bedb0005b1b1a877bed2f451200",
]
# (4 unchanged attributes hidden)
}

checkpoint_management_logout.unstable_lab must be replaced

-/+ resource "checkpoint_management_logout" "unstable_lab" {
~ id = "logout-ypdyzdj9kg" -> (known after apply)
~ triggers = [
- "2023-01-03T18:20:43Z",
] -> (known after apply) # forces replacement
}

checkpoint_management_publish.unstable_lab must be replaced

-/+ resource "checkpoint_management_publish" "unstable_lab" {
~ id = "publish-vgndg6ldby" -> (known after apply)
~ task_id = "01234567-89ab-cdef-8d12-8c39b51d80ed" -> (known after apply)
~ triggers = [ # forces replacement
+ "00634fa4a304ad78e0d01badc15de0e3859b95e1",
- "b9d1295431895bedb0005b1b1a877bed2f451200",
]
}

checkpoint_management_service_tcp.tcp_service["client_3"] will be destroyed

(because key ["client_3"] is not in for_each map)

• resource "checkpoint_management_service_tcp" "tcp_service" {
  • aggressive_aging = {
    • "enable" = "true"
    • "timeout" = "360"
    • "use_default_timeout" = "false"
      } -> null
  • color = "black" -> null
  • id = "6fe11bfc-2659-47f8-a04e-80fec5593c50" -> null
  • ignore_errors = false -> null
  • ignore_warnings = true -> null
  • keep_connections_open_after_policy_installation = true -> null
  • match_by_protocol_signature = false -> null
  • match_for_any = true -> null
  • name = "tcp_client_3" -> null
  • override_default_settings = false -> null
  • port = "3003" -> null
  • session_timeout = 3600 -> null
  • sync_connections_on_cluster = true -> null
  • tags = [] -> null
  • use_default_session_timeout = true -> null
    }
    Plan: 4 to add, 1 to change, 8 to destroy.
    checkpoint_management_logout.unstable_lab: Destroying... [id=logout-ypdyzdj9kg]
    checkpoint_management_logout.unstable_lab: Destruction complete after 0s
    checkpoint_management_install_policy.FWL_VS2: Destroying... [id=install-policy-br8oh3nykd]
    checkpoint_management_install_policy.FWL_VS2: Destruction complete after 0s
    checkpoint_management_install_policy.FWL_VS1: Destroying... [id=install-policy-nrqihmvykd]
    checkpoint_management_install_policy.FWL_VS1: Destruction complete after 0s
    checkpoint_management_publish.unstable_lab: Destroying... [id=publish-vgndg6ldby]
    checkpoint_management_publish.unstable_lab: Destruction complete after 0s
    checkpoint_management_access_rule.in-policy-FWL_VS1["client_3"]: Destroying... [id=60df76ab-952c-4a81-9242-f811fc712003]
    checkpoint_management_access_rule.in-policy-FWL_VS2["client_3"]: Destroying... [id=0fee58d6-0f04-43c7-96eb-4acdddbccc43]
    checkpoint_management_access_rule.in-policy-FWL_VS1["client_3"]: Destruction complete after 0s
    checkpoint_management_access_rule.in-policy-FWL_VS2["client_3"]: Destruction complete after 0s
    checkpoint_management_host.hosts_lab["client_3"]: Destroying... [id=c2605a4c-6800-4654-909c-f98b7e3fe1d0]
    checkpoint_management_service_tcp.tcp_service["client_3"]: Destroying... [id=6fe11bfc-2659-47f8-a04e-80fec5593c50]
    checkpoint_management_service_tcp.tcp_service["client_3"]: Destruction complete after 0s
    ╷
    │ Error: failed to execute API call
    │ Status: 400 Bad Request
    │ Code: err_validation_failed
    │ Message: Validation failed with 1 warning
    │ Warnings:
    │ 1. Object host_client_3 is used by the following objects: group_terraformed
    │
    │
    ╵
    Cleaning up project directory and file based variables
    00:00
    ERROR: Job failed: exit code 1