Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ninixclub
Explorer

Manage security policies via Terraform

Hello

I try to manage our security policies via Terraform but I have few questions :

Question 1 : 

For each object created are we oblige to use a dedicated publish resource (object in publish resource dependency) or is it possible to use a generic publish ressource ? -> In order to publish all objects created before without dependency

Question 2:

After an object creation if I would like to delete it whait is the correct methode ? I tried to delete uts configuration in tf file and remove the dependency in publish ressource but it doesn't work. If I see in the management server this object is locked (not deleted)

Question 3 : 

I add at the end of my tf file the install Policy resource ! It works well but only for the first terraform Apply ! I think it's normal because after terraform that thre is no change about this resource then it dont do anything. 

In this case do you have a solution in order to be sure that policy will be installed for each time that we launch a terraform apply ?

0 Kudos
14 Replies
Miguel_Villarr1
Participant

Here is a solution using Terraform and Check Point that might meet your needs. STRUCTURA.IO/Terraform/Check Point 

0 Kudos
ninixclub
Explorer

Hello thanks four your feeback but my goal is to use natively terraform without add (for the moment) a new product.

We work on a POC in oder to choose our futur Fw technologie and terraform is still used to pilot our premise infrastructure (for example : hypervisor, SDN, Loadbalancer etc ...)

So for us is mandatory that Terraform manage help us to manage security equipements and also the access control.

That the reason of my questions !

Please I need some answers or links in order to progress in my POC.

0 Kudos
Stuart_Green1
Employee
Employee

For q1, I think you can use a timestamp trigger within the publish resource so if it's different - it always gets 'created' when  you run terraform apply. The timestamp string will always be different whenever you run a tf apply, so *should* always trigger that resource to fire. 

q2 - not so sure on this one I'm afraid. The way to delete a resource with terraform is to remove the config. Then with terraform plan / apply you'll see that section appear with a "-" showing that it will be removed. It might be linked to your publish action not being triggered every time. The timestamp option for q1 might fix this too.

q3 - same as for q1, try a timestamp entry as a trigger to make sure it always gets recreated.

0 Kudos
ninixclub
Explorer

It's a very good idea to use timestamp trigger within the publish resource but after serverals tests I unfortunatly didn't find a good configuration!

So if you can provide me an example it will be wonderfull 🙂

Regards

0 Kudos
Stuart_Green1
Employee
Employee

something like...

 

resource "checkpoint_management_publish" "myPublishAction" {
  triggers = {
    time-stamp = "${timestamp()}"
  }
}

0 Kudos
ninixclub
Explorer

Hello

Thaks for your help 

 

I tested it but it doesn't work

Here the error message :

Error: Incorrect attribute value type

on mainv2.tf line 43, in resource "checkpoint_management_publish" "myPublishAction":
43: triggers = {
44: time-stamp = "${timestamp()}"
45: }

Inappropriate value for attribute "triggers": set of string required.

Regards

0 Kudos
Stuart_Green1
Employee
Employee

How about without the ‘=‘ after ‘triggers’ (trying to do this from memory and not knowing front of a computer 🙂 )

0 Kudos
ninixclub
Explorer

Hello

Sorry bit it doens't work also 🙂

Error: Unsupported block type

on mainv2.tf line 43, in resource "checkpoint_management_publish" "myPublishAction":
43: triggers {

Blocks of type "triggers" are not expected here. Did you mean to define
argument "triggers"? If so, use the equals sign to assign it a value.

 

Regards

0 Kudos
Stuart_Green1
Employee
Employee

ok, back at laptop now 🙂

 

Can you post your TF template please? No sensitive info of course.

0 Kudos
ninixclub
Explorer

Here one of tf file that I use for my tests in order to illustrate my issue

It works fine but just the first time after if I want to delete or add an object the publish and install resources is not executed during a terraform apply !

It's normal because for terraform these resouces have not been changed !

Thanks for your help

Regards 

 

variable "CHECKPOINT_SERVER" {}
variable "CHECKPOINT_USERNAME" {}
variable "CHECKPOINT_PASSWORD" {}
variable "CHECKPOINT_CONTEXT" {}

terraform {
required_providers {
checkpoint = {
source = "CheckPointSW/checkpoint"
version = "1.3.0"
}
}
}

provider "checkpoint" {
# Configuration options
server = var.CHECKPOINT_SERVER
username = var.CHECKPOINT_USERNAME
password = var.CHECKPOINT_PASSWORD
}

resource "checkpoint_management_host" "test1" {
name = "test1"
ipv4_address = "10.10.10.10"
color = "red"
}

resource "checkpoint_management_host" "test2" {
name = "test2"
ipv4_address = "10.10.10.20"
color = "red"
}

resource "checkpoint_management_publish" "publish_changes" {}

resource "checkpoint_management_install_policy" "install_fwtest" {
policy_package = "pol_test"
targets = ["fwtest"]
}

0 Kudos
Stuart_Green1
Employee
Employee

this works for the publish action and should work for the install action too:

 

resource "checkpoint_management_publish" "publish_changes" {
  triggers = ["${timestamp()}"]

}

 

I've tested the other uses you mentioned and the publish action kicks after every terraform apply action.

0 Kudos
Art_Zalenekas
Employee
Employee

True, but we had the triggers argument starting Check Point provider v1.2. Maybe that is the issue. What version are you running? I would highly recommend you run the latest provider version v1.3.

EDIT: I see that you are running provider v1.3. What is the version of Terraform you are running?
Also, triggers in the context of the publish resource is a key and type of a Set and not a dictionary. What @Stuart_Green1 posted is correct and works on my side as well.
https://github.com/CheckPointSW/terraform-provider-checkpoint/blob/master/checkpoint/resource_checkp...

https://registry.terraform.io/providers/CheckPointSW/checkpoint/latest/docs/resources/checkpoint_man...

 

0 Kudos
Art_Zalenekas
Employee
Employee

triggers is part of local-exec provisioner, as well as null-resource. You can run multiple provisioners, including local-exec provisioners. They are also conditional, which means they have the when statement as well to create logic on create/destroy Terraform plans.

  provisioner "local-exec" {
    triggers {
      command = "<command;command>"
    }
    when    = create
    command = "<command;command>"
  }

  provisioner "local-exec" {
    when    = destroy
    command = "<commands>
  }

 Look at null-resource as well.
https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource

 

0 Kudos
Stuart_Green1
Employee
Employee

Hey guys, I know this was a while back now it came up on another project I was working on recently. Extending on Art's answer - I think the most complete way to manage publish or install actions is using the helper utilities that come with the Check Point Terraform provider (https://github.com/CheckPointSW/terraform-provider-checkpoint/tree/master/commands). They're mention on the overview page but not in the context of how to use them in a TF module. 

 

First - you need install Go on the machine you're deploying from. Then, clone or download the code from the link above and change to the commands > publish directory. 

Run 'go build publish.go' and it will compile a binary in the current directory named 'publish'. Move this to a directory in your path and check it runs by running 'publish' (it will error, but that's fine at this point).

 

Then in your TF module, use this as a framework:

 

terraform {
  required_providers {
    checkpoint = {
      source = "CheckPointSW/checkpoint"
      version = "1.5.0"
    }
  }
}

provider "checkpoint" {
  server   = "YOUR.MGMT.IP.HERE"
  username = "YOURUSER"
  password = "YOURPASSWORD"
  context  = "web_api"
}


resource "checkpoint_management_host" host1 {
  name = "myhost1"
  ipv4_address = "10.20.30.40"
  color = "blue"
  provisioner "local-exec" {
  when    = destroy
  command = "publish"
}
}

resource "checkpoint_management_publish" pub1{
  depends_on = [ checkpoint_management_host.host1 ]
  triggers = [ timestamp() ]
}

 

You will also need to set environment variables CHECKPOINT_SERVER, CHECKPOINT_USERNAME and CHECKPOINT_PASSWORD for the publish command to connect to your management server.

 

The module above has a publish 'resource' with dependencies of the host. This makes sure that the publish action happens after the host is added and you'll need to add dependencies on policy elements if you want to have an embedded publish action like this.

For destroy actions - the local-exec provisioner within the host is called and executes the 'publish' binary which uses the session ID file in the Terraform module directory for the SID to publish. 

That's a lot of words for something which is actually pretty simple and in testing, works well!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events