Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
alexproca
Participant
Jump to solution

checkpoint_management_group - cannot delete host

Hello all,

  1. using checkpoint_management_host with a for_each loop to iterate over a local nested map and create hosts.
  2. using checkpoint_management_group to create a group and in members, add the values of the hosts i've just created.

Works fine when i create hosts, but when I remove them(from the map), terraform tries to delete the host before removing it from the group. CP API is then giving an error that it can't delete an used object.

The destroy happens before the update-in-place and the only way to change that is to use create_before_destroy but then I run into other issues with publishing/installing policies, because those use destroy and then create replacement.

Tried adding the replace_triggered_by to the group, but still it does update-in-place.

Any ideas how to solve this ?

Code:

``
locals {
clients = {
"client_1" = {
remote_ip = "10.100.200.1"
remote_port = "3001"
}
"client_2" = {
remote_ip = "10.100.200.2"
remote_port = "3002"
}
"client_3" = {
remote_ip = "10.100.200.3"
remote_port = "3003"
}
}
}

resource "checkpoint_management_host" "hosts_lab" {
for_each = local.clients
name = "host_${each.key}"
ipv4_address = each.value["remote_ip"]
ignore_warnings = true
nat_settings = {}
tags = []
lifecycle {
precondition {
condition = can(cidrsubnet("${each.value["remote_ip"]}/32",0,0))
error_message = "Must be valid IPv4 Address."
}
}

}

resource "checkpoint_management_group" "groups_lab" {
name = "group_terraformed"
members = values(checkpoint_management_host.hosts_lab)[*].name
ignore_warnings = true
depends_on = [ checkpoint_management_host.hosts_lab]
lifecycle {
replace_triggered_by = [checkpoint_management_host.hosts_lab ]
}
}

resource "checkpoint_management_service_tcp" "tcp_service" {
for_each = local.clients
name = "tcp_${each.key}"
port = "${each.value.remote_port}"
session_timeout = 3600
match_for_any = true
sync_connections_on_cluster = true
ignore_warnings = true
aggressive_aging = {
enable = true
timeout = 360
use_default_timeout = false
}
keep_connections_open_after_policy_installation = true
tags = []
lifecycle {
precondition {
condition = (
each.value["remote_port"] >= 1000 &&
each.value["remote_port"] <= 65000
)
error_message = "Port number must be between 1000 and 65000"
}
}

}

resource "checkpoint_management_access_rule" "in-policy-FWL_VS1" {
for_each = local.clients
name = "${each.key}"
layer = "FWLVS1_policy Network"
position = { top = "top" }
source = ["existing_group"]
destination = ["host_${each.key}"]
service = ["tcp_${each.key}"]
action = "Accept"
track = {
accounting = true
type = "Log"
per_connection = "true"
}
depends_on = [ checkpoint_management_host.hosts_lab, checkpoint_management_service_tcp.tcp_service ]
action_settings = {
enable_identity_captive_portal = false
}
content = []
custom_fields = {}
time = []
}

resource "checkpoint_management_access_rule" "in-policy-FWL_VS2" {
for_each = local.clients
name = "${each.key}"
layer = "FWLVS2_policy Network"
position = { top = "top" }
source = ["existing_group"]
destination = ["host_${each.key}"]
service = ["tcp_${each.key}"]
action = "Accept"
track = {
accounting = true
type = "Log"
per_connection = "true"
}
depends_on = [ checkpoint_management_host.hosts_lab, checkpoint_management_service_tcp.tcp_service ]
action_settings = {
enable_identity_captive_portal = false
}
content = []
custom_fields = {}
time = []
}

resource "checkpoint_management_publish" "unstable_lab" {
triggers = toset([sha1(jsonencode([
checkpoint_management_host.hosts_lab,
checkpoint_management_access_rule.in-policy-FWL_VS1,
checkpoint_management_access_rule.in-policy-FWL_VS2,
checkpoint_management_service_tcp.tcp_service,
]))])
depends_on = [checkpoint_management_host.hosts_lab, checkpoint_management_access_rule.in-policy-FWL_VS1, checkpoint_management_access_rule.in-policy-FWL_VS2, checkpoint_management_service_tcp.tcp_service]
}

resource "checkpoint_management_install_policy" "FWL_VS1" {
policy_package = "FWLVS1_policy"
targets = ["FWLVS1"]
triggers = toset([sha1(jsonencode([
checkpoint_management_host.hosts_lab,
checkpoint_management_access_rule.in-policy-FWL_VS1,
checkpoint_management_access_rule.in-policy-FWL_VS2,
checkpoint_management_service_tcp.tcp_service,
]))])
depends_on = [checkpoint_management_host.hosts_lab, checkpoint_management_access_rule.in-policy-FWL_VS1, checkpoint_management_access_rule.in-policy-FWL_VS2, checkpoint_management_service_tcp.tcp_service, checkpoint_management_publish.unstable_lab ]
}

resource "checkpoint_management_install_policy" "FWL_VS2" {
policy_package = "FWLVS2_policy"
targets = ["FWLVS2"]
triggers = toset([sha1(jsonencode([
checkpoint_management_host.hosts_lab,
checkpoint_management_access_rule.in-policy-FWL_VS1,
checkpoint_management_access_rule.in-policy-FWL_VS2,
checkpoint_management_service_tcp.tcp_service,
]))])
depends_on = [checkpoint_management_host.hosts_lab, checkpoint_management_access_rule.in-policy-FWL_VS1, checkpoint_management_access_rule.in-policy-FWL_VS2, checkpoint_management_service_tcp.tcp_service, checkpoint_management_publish.unstable_lab, checkpoint_management_install_policy.FWL_VS1 ]
}

resource "checkpoint_management_logout" "unstable_lab" {
triggers = ["${timestamp()}"]
depends_on = [checkpoint_management_host.hosts_lab, checkpoint_management_access_rule.in-policy-FWL_VS1, checkpoint_management_access_rule.in-policy-FWL_VS2, checkpoint_management_service_tcp.tcp_service, checkpoint_management_publish.unstable_lab, checkpoint_management_install_policy.FWL_VS1, checkpoint_management_install_policy.FWL_VS2]
}

``

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
~ update in-place
- destroy
-/+ destroy and then create replacement
Terraform will perform the following actions:

checkpoint_management_access_rule.in-policy-FWL_VS1["client_3"] will be destroyed

(because key ["client_3"] is not in for_each map)

  • resource "checkpoint_management_access_rule" "in-policy-FWL_VS1" {
    • action = "Accept" -> null
    • action_settings = {
      • "enable_identity_captive_portal" = "false"
        } -> null
    • content = [] -> null
    • content_direction = "any" -> null
    • content_negate = false -> null
    • custom_fields = {} -> null
    • destination = [
      • "host_client_3",
        ] -> null
    • destination_negate = false -> null
    • enabled = true -> null
    • id = "60df76ab-952c-4a81-9242-f811fc712003" -> null
    • ignore_errors = false -> null
    • ignore_warnings = false -> null
    • install_on = [] -> null
    • layer = "FWL-BE-DMZINT_policy Network" -> null
    • name = "client_3" -> null
    • position = {
      • "top" = "top"
        } -> null
    • service = [
      • "tcp_client_3",
        ] -> null
    • service_negate = false -> null
    • source = [
      • "existing_group",
        ] -> null
    • source_negate = false -> null
    • time = [] -> null
    • track = {
      • "accounting" = "true"
      • "per_connection" = "true"
      • "type" = "Log"
        } -> null
    • vpn = "Any" -> null
      }

checkpoint_management_access_rule.in-policy-FWL_VS2["client_3"] will be destroyed

(because key ["client_3"] is not in for_each map)

  • resource "checkpoint_management_access_rule" "in-policy-FWL_VS2" {
    • action = "Accept" -> null
    • action_settings = {
      • "enable_identity_captive_portal" = "false"
        } -> null
    • content = [] -> null
    • content_direction = "any" -> null
    • content_negate = false -> null
    • custom_fields = {} -> null
    • destination = [
      • "host_client_3",
        ] -> null
    • destination_negate = false -> null
    • enabled = true -> null
    • id = "0fee58d6-0f04-43c7-96eb-4acdddbccc43" -> null
    • ignore_errors = false -> null
    • ignore_warnings = false -> null
    • install_on = [] -> null
    • layer = "FWL-BE-DMZPRV_policy Network" -> null
    • name = "client_3" -> null
    • position = {
      • "top" = "top"
        } -> null
    • service = [
      • "tcp_client_3",
        ] -> null
    • service_negate = false -> null
    • source = [
      • "existing_group",
        ] -> null
    • source_negate = false -> null
    • time = [] -> null
    • track = {
      • "accounting" = "true"
      • "per_connection" = "true"
      • "type" = "Log"
        } -> null
    • vpn = "Any" -> null
      }

checkpoint_management_group.groups_lab will be updated in-place

~ resource "checkpoint_management_group" "groups_lab" {
id = "cb645dd5-5221-445a-ab4b-d12d8bab0a61"
~ members = [
- "host_client_3",
# (2 unchanged elements hidden)
]
name = "group_terraformed"
tags = []
# (3 unchanged attributes hidden)
}

checkpoint_management_host.hosts_lab["client_3"] will be destroyed

(because key ["client_3"] is not in for_each map)

  • resource "checkpoint_management_host" "hosts_lab" {
    • color = "black" -> null
    • id = "c2605a4c-6800-4654-909c-f98b7e3fe1d0" -> null
    • ignore_errors = false -> null
    • ignore_warnings = true -> null
    • ipv4_address = "10.100.200.3" -> null
    • name = "host_client_3" -> null
    • nat_settings = {} -> null
    • tags = [] -> null
      }

checkpoint_management_install_policy.FWL_VS1 must be replaced

-/+ resource "checkpoint_management_install_policy" "FWL_VS1" {
~ id = "install-policy-nrqihmvykd" -> (known after apply)
~ task_id = "1ccf9d30-b246-43f4-8ce8-1c8cc2b5bb49" -> (known after apply)
~ triggers = [ # forces replacement
+ "00634fa4a304ad78e0d01badc15de0e3859b95e1",
- "b9d1295431895bedb0005b1b1a877bed2f451200",
]
# (4 unchanged attributes hidden)
}

checkpoint_management_install_policy.FWL_VS2 must be replaced

-/+ resource "checkpoint_management_install_policy" "FWL_VS2" {
~ id = "install-policy-br8oh3nykd" -> (known after apply)
~ task_id = "95c7efda-2ac7-48ed-a72f-235fa835e0d8" -> (known after apply)
~ triggers = [ # forces replacement
+ "00634fa4a304ad78e0d01badc15de0e3859b95e1",
- "b9d1295431895bedb0005b1b1a877bed2f451200",
]
# (4 unchanged attributes hidden)
}

checkpoint_management_logout.unstable_lab must be replaced

-/+ resource "checkpoint_management_logout" "unstable_lab" {
~ id = "logout-ypdyzdj9kg" -> (known after apply)
~ triggers = [
- "2023-01-03T18:20:43Z",
] -> (known after apply) # forces replacement
}

checkpoint_management_publish.unstable_lab must be replaced

-/+ resource "checkpoint_management_publish" "unstable_lab" {
~ id = "publish-vgndg6ldby" -> (known after apply)
~ task_id = "01234567-89ab-cdef-8d12-8c39b51d80ed" -> (known after apply)
~ triggers = [ # forces replacement
+ "00634fa4a304ad78e0d01badc15de0e3859b95e1",
- "b9d1295431895bedb0005b1b1a877bed2f451200",
]
}

checkpoint_management_service_tcp.tcp_service["client_3"] will be destroyed

(because key ["client_3"] is not in for_each map)

  • resource "checkpoint_management_service_tcp" "tcp_service" {
    • aggressive_aging = {
      • "enable" = "true"
      • "timeout" = "360"
      • "use_default_timeout" = "false"
        } -> null
    • color = "black" -> null
    • id = "6fe11bfc-2659-47f8-a04e-80fec5593c50" -> null
    • ignore_errors = false -> null
    • ignore_warnings = true -> null
    • keep_connections_open_after_policy_installation = true -> null
    • match_by_protocol_signature = false -> null
    • match_for_any = true -> null
    • name = "tcp_client_3" -> null
    • override_default_settings = false -> null
    • port = "3003" -> null
    • session_timeout = 3600 -> null
    • sync_connections_on_cluster = true -> null
    • tags = [] -> null
    • use_default_session_timeout = true -> null
      }
      Plan: 4 to add, 1 to change, 8 to destroy.
      checkpoint_management_logout.unstable_lab: Destroying... [id=logout-ypdyzdj9kg]
      checkpoint_management_logout.unstable_lab: Destruction complete after 0s
      checkpoint_management_install_policy.FWL_VS2: Destroying... [id=install-policy-br8oh3nykd]
      checkpoint_management_install_policy.FWL_VS2: Destruction complete after 0s
      checkpoint_management_install_policy.FWL_VS1: Destroying... [id=install-policy-nrqihmvykd]
      checkpoint_management_install_policy.FWL_VS1: Destruction complete after 0s
      checkpoint_management_publish.unstable_lab: Destroying... [id=publish-vgndg6ldby]
      checkpoint_management_publish.unstable_lab: Destruction complete after 0s
      checkpoint_management_access_rule.in-policy-FWL_VS1["client_3"]: Destroying... [id=60df76ab-952c-4a81-9242-f811fc712003]
      checkpoint_management_access_rule.in-policy-FWL_VS2["client_3"]: Destroying... [id=0fee58d6-0f04-43c7-96eb-4acdddbccc43]
      checkpoint_management_access_rule.in-policy-FWL_VS1["client_3"]: Destruction complete after 0s
      checkpoint_management_access_rule.in-policy-FWL_VS2["client_3"]: Destruction complete after 0s
      checkpoint_management_host.hosts_lab["client_3"]: Destroying... [id=c2605a4c-6800-4654-909c-f98b7e3fe1d0]
      checkpoint_management_service_tcp.tcp_service["client_3"]: Destroying... [id=6fe11bfc-2659-47f8-a04e-80fec5593c50]
      checkpoint_management_service_tcp.tcp_service["client_3"]: Destruction complete after 0s

      │ Error: failed to execute API call
      │ Status: 400 Bad Request
      │ Code: err_validation_failed
      │ Message: Validation failed with 1 warning
      │ Warnings:
      │ 1. Object host_client_3 is used by the following objects: group_terraformed



      Cleaning up project directory and file based variables
      00:00
      ERROR: Job failed: exit code 1
0 Kudos
1 Solution

Accepted Solutions
alexproca
Participant

It's a terraform provider problem, not a management or api problem.
Also posted this on the provider github page and a developer acknowledged the bug and promised to solve in the next release.

https://github.com/CheckPointSW/terraform-provider-checkpoint/issues/135
The version i tried is v2.1.0 so look for the bug fix in the release notes of future versions.

View solution in original post

(1)
5 Replies
alexproca
Participant

Another note, I tried ignore_warnings/errors but it did not work also, the checkpoint api/gui does not allow you to delete a host that is part of a group.

0 Kudos
PhoneBoy
Admin
Admin

What is the version/JHF of management?
What does a where-used on the relevant object show?

alexproca
Participant

HOTFIX_R81_10_JUMBO_HF_MAIN Take: 66

The relevant object showed up in the group I created with terraform. Process.

1. create host x with terraform

2. create group y with members host x with terraform

at this point host x was used in group y.

3. when trying to delete host x, terraform does two things:
3a. delete: host x
3b. update-in-place: remove host x from group y

Since terraform is trying to do 3a before 3b, API gives error that the group is used. 

  

0 Kudos
the_rock
Legend
Legend

I once had hell of a time with trying to delete identity provider object that was referenced with a specific gateway. I must have spent close to 3 hours with TAC on the phone until we finally got it...had to re-log back into Guidbedit close to 20 times and remove every single reference of it.I hope your case is not going to be like mine, but Gudbedit is always good place to start, because once removed from database, you will not have any issues with smart console.

0 Kudos
alexproca
Participant

It's a terraform provider problem, not a management or api problem.
Also posted this on the provider github page and a developer acknowledged the bug and promised to solve in the next release.

https://github.com/CheckPointSW/terraform-provider-checkpoint/issues/135
The version i tried is v2.1.0 so look for the bug fix in the release notes of future versions.

(1)
Upcoming Events

    CheckMates Events