- CheckMates
- :
- Products
- :
- Developers
- :
- DevSecOps
- :
- Re: Manage security policies via Terraform
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Manage security policies via Terraform
Hello
I try to manage our security policies via Terraform but I have few questions :
Question 1 :
For each object created are we oblige to use a dedicated publish resource (object in publish resource dependency) or is it possible to use a generic publish ressource ? -> In order to publish all objects created before without dependency
Question 2:
After an object creation if I would like to delete it whait is the correct methode ? I tried to delete uts configuration in tf file and remove the dependency in publish ressource but it doesn't work. If I see in the management server this object is locked (not deleted)
Question 3 :
I add at the end of my tf file the install Policy resource ! It works well but only for the first terraform Apply ! I think it's normal because after terraform that thre is no change about this resource then it dont do anything.
In this case do you have a solution in order to be sure that policy will be installed for each time that we launch a terraform apply ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is a solution using Terraform and Check Point that might meet your needs. STRUCTURA.IO/Terraform/Check Point
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello thanks four your feeback but my goal is to use natively terraform without add (for the moment) a new product.
We work on a POC in oder to choose our futur Fw technologie and terraform is still used to pilot our premise infrastructure (for example : hypervisor, SDN, Loadbalancer etc ...)
So for us is mandatory that Terraform manage help us to manage security equipements and also the access control.
That the reason of my questions !
Please I need some answers or links in order to progress in my POC.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For q1, I think you can use a timestamp trigger within the publish resource so if it's different - it always gets 'created' when you run terraform apply. The timestamp string will always be different whenever you run a tf apply, so *should* always trigger that resource to fire.
q2 - not so sure on this one I'm afraid. The way to delete a resource with terraform is to remove the config. Then with terraform plan / apply you'll see that section appear with a "-" showing that it will be removed. It might be linked to your publish action not being triggered every time. The timestamp option for q1 might fix this too.
q3 - same as for q1, try a timestamp entry as a trigger to make sure it always gets recreated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's a very good idea to use timestamp trigger within the publish resource but after serverals tests I unfortunatly didn't find a good configuration!
So if you can provide me an example it will be wonderfull 🙂
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
something like...
resource "checkpoint_management_publish" "myPublishAction" {
triggers = {
time-stamp = "${timestamp()}"
}
}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
Thaks for your help
I tested it but it doesn't work
Here the error message :
Error: Incorrect attribute value type
on mainv2.tf line 43, in resource "checkpoint_management_publish" "myPublishAction":
43: triggers = {
44: time-stamp = "${timestamp()}"
45: }
Inappropriate value for attribute "triggers": set of string required.
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about without the ‘=‘ after ‘triggers’ (trying to do this from memory and not knowing front of a computer 🙂 )
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
Sorry bit it doens't work also 🙂
Error: Unsupported block type
on mainv2.tf line 43, in resource "checkpoint_management_publish" "myPublishAction":
43: triggers {
Blocks of type "triggers" are not expected here. Did you mean to define
argument "triggers"? If so, use the equals sign to assign it a value.
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok, back at laptop now 🙂
Can you post your TF template please? No sensitive info of course.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here one of tf file that I use for my tests in order to illustrate my issue
It works fine but just the first time after if I want to delete or add an object the publish and install resources is not executed during a terraform apply !
It's normal because for terraform these resouces have not been changed !
Thanks for your help
Regards
variable "CHECKPOINT_SERVER" {}
variable "CHECKPOINT_USERNAME" {}
variable "CHECKPOINT_PASSWORD" {}
variable "CHECKPOINT_CONTEXT" {}
terraform {
required_providers {
checkpoint = {
source = "CheckPointSW/checkpoint"
version = "1.3.0"
}
}
}
provider "checkpoint" {
# Configuration options
server = var.CHECKPOINT_SERVER
username = var.CHECKPOINT_USERNAME
password = var.CHECKPOINT_PASSWORD
}
resource "checkpoint_management_host" "test1" {
name = "test1"
ipv4_address = "10.10.10.10"
color = "red"
}
resource "checkpoint_management_host" "test2" {
name = "test2"
ipv4_address = "10.10.10.20"
color = "red"
}
resource "checkpoint_management_publish" "publish_changes" {}
resource "checkpoint_management_install_policy" "install_fwtest" {
policy_package = "pol_test"
targets = ["fwtest"]
}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this works for the publish action and should work for the install action too:
resource "checkpoint_management_publish" "publish_changes" {
triggers = ["${timestamp()}"]
}
I've tested the other uses you mentioned and the publish action kicks after every terraform apply action.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
True, but we had the triggers argument starting Check Point provider v1.2. Maybe that is the issue. What version are you running? I would highly recommend you run the latest provider version v1.3.
EDIT: I see that you are running provider v1.3. What is the version of Terraform you are running?
Also, triggers in the context of the publish resource is a key and type of a Set and not a dictionary. What @StuartGreen posted is correct and works on my side as well.
https://github.com/CheckPointSW/terraform-provider-checkpoint/blob/master/checkpoint/resource_checkp...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
triggers is part of local-exec provisioner, as well as null-resource. You can run multiple provisioners, including local-exec provisioners. They are also conditional, which means they have the when statement as well to create logic on create/destroy Terraform plans.
provisioner "local-exec" {
triggers {
command = "<command;command>"
}
when = create
command = "<command;command>"
}
provisioner "local-exec" {
when = destroy
command = "<commands>
}
Look at null-resource as well.
https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey guys, I know this was a while back now it came up on another project I was working on recently. Extending on Art's answer - I think the most complete way to manage publish or install actions is using the helper utilities that come with the Check Point Terraform provider (https://github.com/CheckPointSW/terraform-provider-checkpoint/tree/master/commands). They're mention on the overview page but not in the context of how to use them in a TF module.
First - you need install Go on the machine you're deploying from. Then, clone or download the code from the link above and change to the commands > publish directory.
Run 'go build publish.go' and it will compile a binary in the current directory named 'publish'. Move this to a directory in your path and check it runs by running 'publish' (it will error, but that's fine at this point).
Then in your TF module, use this as a framework:
terraform {
required_providers {
checkpoint = {
source = "CheckPointSW/checkpoint"
version = "1.5.0"
}
}
}
provider "checkpoint" {
server = "YOUR.MGMT.IP.HERE"
username = "YOURUSER"
password = "YOURPASSWORD"
context = "web_api"
}
resource "checkpoint_management_host" host1 {
name = "myhost1"
ipv4_address = "10.20.30.40"
color = "blue"
provisioner "local-exec" {
when = destroy
command = "publish"
}
}
resource "checkpoint_management_publish" pub1{
depends_on = [ checkpoint_management_host.host1 ]
triggers = [ timestamp() ]
}
You will also need to set environment variables CHECKPOINT_SERVER, CHECKPOINT_USERNAME and CHECKPOINT_PASSWORD for the publish command to connect to your management server.
The module above has a publish 'resource' with dependencies of the host. This makes sure that the publish action happens after the host is added and you'll need to add dependencies on policy elements if you want to have an embedded publish action like this.
For destroy actions - the local-exec provisioner within the host is called and executes the 'publish' binary which uses the session ID file in the Terraform module directory for the SID to publish.
That's a lot of words for something which is actually pretty simple and in testing, works well!