From dda06b88a19aaea4dcf817cb5dfbdb97dd4fa593 Mon Sep 17 00:00:00 2001 From: chkp-royl <51701986+chkp-royl@users.noreply.github.com> Date: Sun, 18 Dec 2022 14:13:29 +0200 Subject: [PATCH] Fix bugs in vpn,exception group and threat exception resources (#133) --- ...ce_checkpoint_management_cloud_services.go | 73 ++++++++++++++++++- ...e_checkpoint_management_exception_group.go | 38 ++++++++-- ..._checkpoint_management_threat_exception.go | 2 +- ...heckpoint_management_vpn_community_star.go | 42 +++++------ website/checkpoint.erb | 18 +++++ ...nt_management_cloud_services.html.markdown | 9 ++- website/docs/index.html.markdown | 19 +++-- 7 files changed, 162 insertions(+), 39 deletions(-) diff --git a/checkpoint/data_source_checkpoint_management_cloud_services.go b/checkpoint/data_source_checkpoint_management_cloud_services.go index 6f2fd41b..c5c3c58f 100644 --- a/checkpoint/data_source_checkpoint_management_cloud_services.go +++ b/checkpoint/data_source_checkpoint_management_cloud_services.go @@ -41,6 +41,39 @@ func dataSourceManagementCloudServices() *schema.Resource { Computed: true, Description: "The Management Server's public URL.", }, + "tenant_id": { + Type: schema.TypeString, + Computed: true, + Description: "Tenant ID of Infinity Portal.", + }, + "gateways_onboarding_settings": { + Type: schema.TypeList, + MaxItems: 1, + Computed: true, + Description: "Gateways on-boarding to Infinity Portal settings.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "connection_method": { + Type: schema.TypeString, + Computed: true, + Description: "Indicate whether Gateways will be connected to Infinity Portal automatically or only after policy installation.", + }, + "participant_gateways": { + Type: schema.TypeString, + Computed: true, + Description: "Which Gateways will be connected to Infinity Portal.", + }, + "specific_gateways": { + Type: schema.TypeSet, + Computed: true, + Description: "Collection of targets identified by Name or UID.", + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + }, + }, + }, }, } } @@ -62,7 +95,7 @@ func dataSourceManagementCloudServicesRead(d *schema.ResourceData, m interface{} if v := showCloudServicesRes["status"]; v != nil { _ = d.Set("status", v) - }else{ + } else { _ = d.Set("status", nil) } @@ -77,16 +110,50 @@ func dataSourceManagementCloudServicesRead(d *schema.ResourceData, m interface{} } _ = d.Set("connected_at", connectedAtState) } - }else{ + } else { _ = d.Set("connected_at", nil) } if v := showCloudServicesRes["management-url"]; v != nil { _ = d.Set("management_url", v) - }else{ + } else { _ = d.Set("management_url", nil) } + if v := showCloudServicesRes["tenant-id"]; v != nil { + _ = d.Set("tenant_id", v) + } else { + _ = d.Set("tenant_id", nil) + } + + if v := showCloudServicesRes["gateways-onboarding-settings"]; v != nil { + gatewaysOnboardingSettingsMap := v.(map[string]interface{}) + gatewaysOnboardingSettings := make(map[string]interface{}) + + if v := gatewaysOnboardingSettingsMap["connection-method"]; v != nil { + gatewaysOnboardingSettings["connection_method"] = v.(string) + } + + if v := gatewaysOnboardingSettingsMap["participant-gateways"]; v != nil { + gatewaysOnboardingSettings["participant_gateways"] = v.(string) + } + + if v := gatewaysOnboardingSettingsMap["specific-gateways"]; v != nil { + specificGatewaysJson, _ := v.([]interface{}) + specificGatewaysRes := make([]string, 0) + if len(specificGatewaysJson) > 0 { + for _, gw := range specificGatewaysJson { + gw := gw.(map[string]interface{}) + specificGatewaysRes = append(specificGatewaysRes, gw["name"].(string)) + } + } + gatewaysOnboardingSettings["specific_gateways"] = specificGatewaysRes + } + _ = d.Set("gateways_onboarding_settings", []interface{}{gatewaysOnboardingSettings}) + } else { + _ = d.Set("gateways_onboarding_settings", nil) + } + d.SetId("show-cloud-services-" + acctest.RandString(5)) return nil diff --git a/checkpoint/resource_checkpoint_management_exception_group.go b/checkpoint/resource_checkpoint_management_exception_group.go index f5374f5f..47e8e516 100644 --- a/checkpoint/resource_checkpoint_management_exception_group.go +++ b/checkpoint/resource_checkpoint_management_exception_group.go @@ -140,23 +140,45 @@ func createManagementExceptionGroup(d *schema.ResourceData, m interface{}) error for i := range appliedThreatRulesList { - Payload := make(map[string]interface{}) + appliedThreatRule := make(map[string]interface{}) if v, ok := d.GetOk("applied_threat_rules." + strconv.Itoa(i) + ".layer"); ok { - Payload["layer"] = v.(string) + appliedThreatRule["layer"] = v.(string) } if v, ok := d.GetOk("applied_threat_rules." + strconv.Itoa(i) + ".name"); ok { - Payload["name"] = v.(string) + appliedThreatRule["name"] = v.(string) } if v, ok := d.GetOk("applied_threat_rules." + strconv.Itoa(i) + ".rule_number"); ok { - Payload["rule-number"] = v.(string) + appliedThreatRule["rule-number"] = v.(string) } - if v, ok := d.GetOk("applied_threat_rules." + strconv.Itoa(i) + ".position"); ok { - Payload["position"] = v.(string) + if _, ok := d.GetOk("applied_threat_rules." + strconv.Itoa(i) + ".position"); ok { + if v, ok := d.GetOk("applied_threat_rules." + strconv.Itoa(i) + ".position.top"); ok { + if v.(string) == "top" { + appliedThreatRule["position"] = "top" + } else { + appliedThreatRule["position"] = map[string]interface{}{"top": v.(string)} + } + } + + if v, ok := d.GetOk("applied_threat_rules." + strconv.Itoa(i) + ".position.above"); ok { + appliedThreatRule["position"] = map[string]interface{}{"above": v.(string)} + } + + if v, ok := d.GetOk("applied_threat_rules." + strconv.Itoa(i) + ".position.below"); ok { + appliedThreatRule["position"] = map[string]interface{}{"below": v.(string)} + } + + if v, ok := d.GetOk("applied_threat_rules." + strconv.Itoa(i) + ".position.bottom"); ok { + if v.(string) == "bottom" { + appliedThreatRule["position"] = "bottom" // entire rule-base + } else { + appliedThreatRule["position"] = map[string]interface{}{"bottom": v.(string)} // section-name + } + } } - appliedThreatRulesPayload = append(appliedThreatRulesPayload, Payload) + appliedThreatRulesPayload = append(appliedThreatRulesPayload, appliedThreatRule) } - exceptionGroup["appliedThreatRules"] = appliedThreatRulesPayload + exceptionGroup["applied-threat-rules"] = appliedThreatRulesPayload } } diff --git a/checkpoint/resource_checkpoint_management_threat_exception.go b/checkpoint/resource_checkpoint_management_threat_exception.go index b0a365db..ff8cc917 100644 --- a/checkpoint/resource_checkpoint_management_threat_exception.go +++ b/checkpoint/resource_checkpoint_management_threat_exception.go @@ -37,7 +37,7 @@ func resourceManagementThreatException() *schema.Resource { }, "layer": { Type: schema.TypeString, - Required: true, + Optional: true, Description: "Layer that the rule belongs to identified by the name or UID.", }, "position": { diff --git a/checkpoint/resource_checkpoint_management_vpn_community_star.go b/checkpoint/resource_checkpoint_management_vpn_community_star.go index fc5228b2..e33c9b14 100644 --- a/checkpoint/resource_checkpoint_management_vpn_community_star.go +++ b/checkpoint/resource_checkpoint_management_vpn_community_star.go @@ -67,7 +67,7 @@ func resourceManagementVpnCommunityStar() *schema.Resource { Default: "aes-256", }, "ike_p1_rekey_time": { - Type: schema.TypeInt, + Type: schema.TypeString, Optional: true, Description: "Indicates the time interval for IKE phase 1 renegotiation.", Default: 1440, @@ -106,7 +106,7 @@ func resourceManagementVpnCommunityStar() *schema.Resource { Default: "group-2", }, "ike_p2_rekey_time": { - Type: schema.TypeInt, + Type: schema.TypeString, Optional: true, Description: "Indicates the time interval for IKE phase 2 renegotiation.", Default: 1440, @@ -180,7 +180,7 @@ func resourceManagementVpnCommunityStar() *schema.Resource { Schema: map[string]*schema.Schema{ "internal_gateway": { Type: schema.TypeString, - Required: true, + Required: true, Description: "Internally managed Check Point gateway identified by name or UID, or 'Any' for all internal-gateways participants in this community.", }, "external_gateway": { @@ -223,7 +223,7 @@ func resourceManagementVpnCommunityStar() *schema.Resource { Default: "aes-256", }, "ike_p1_rekey_time": { - Type: schema.TypeInt, + Type: schema.TypeString, Optional: true, Description: "Indicates the time interval for IKE phase 1 renegotiation.", Default: 1440, @@ -262,7 +262,7 @@ func resourceManagementVpnCommunityStar() *schema.Resource { Default: "group-2", }, "ike_p2_rekey_time": { - Type: schema.TypeInt, + Type: schema.TypeString, Optional: true, Description: "Indicates the time interval for IKE phase 2 renegotiation.", Default: 1440, @@ -349,7 +349,7 @@ func createManagementVpnCommunityStar(d *schema.ResourceData, m interface{}) err res["encryption-algorithm"] = v.(string) } if v, ok := d.GetOk("ike_phase_1.ike_p1_rekey_time"); ok { - res["ike-p1-rekey-time"] = v.(int) + res["ike-p1-rekey-time"] = v.(string) } vpnCommunityStar["ike-phase-1"] = res } @@ -371,7 +371,7 @@ func createManagementVpnCommunityStar(d *schema.ResourceData, m interface{}) err res["ike-p2-pfs-dh-grp"] = v.(bool) } if v, ok := d.GetOk("ike_phase_2.ike_p2_rekey_time"); ok { - res["ike-p2-rekey-time"] = v.(int) + res["ike-p2-rekey-time"] = v.(string) } vpnCommunityStar["ike-phase-2"] = res } @@ -467,7 +467,7 @@ func createManagementVpnCommunityStar(d *schema.ResourceData, m interface{}) err ikePhase1Payload["diffie-hellman-group"] = v.(string) } if v, ok := d.GetOk("granular_encryptions." + strconv.Itoa(i) + ".ike_phase_1.ike_p1_rekey_time"); ok { - ikePhase1Payload["ike-p1-rekey-time"] = v.(int) + ikePhase1Payload["ike-p1-rekey-time"] = v.(string) } payload["ike-phase-1"] = ikePhase1Payload } @@ -486,7 +486,7 @@ func createManagementVpnCommunityStar(d *schema.ResourceData, m interface{}) err ikePhase2Payload["ike-p2-pfs-dh-grp"] = v.(bool) } if v, ok := d.GetOk("granular_encryptions." + strconv.Itoa(i) + ".ike_phase_2.ike_p2_rekey_time"); ok { - ikePhase2Payload["ike-p2-rekey-time"] = v.(int) + ikePhase2Payload["ike-p2-rekey-time"] = v.(string) } payload["ike-phase-2"] = ikePhase2Payload } @@ -603,7 +603,7 @@ func readManagementVpnCommunityStar(d *schema.ResourceData, m interface{}) error ikePhase1MapToReturn["encryption_algorithm"] = v } if v := ikePhase1Map["ike-p1-rekey-time"]; v != nil { - ikePhase1MapToReturn["ike_p1_rekey_time"] = v + ikePhase1MapToReturn["ike_p1_rekey_time"] = strconv.Itoa(int(v.(float64))) } _, ikePhase1InConf := d.GetOk("ike_phase_1") defaultIkePhase1 := map[string]interface{}{"encryption_algorithm": "aes-256", "diffie_hellman_group": "group-2", "data_integrity": "sha1"} @@ -635,7 +635,7 @@ func readManagementVpnCommunityStar(d *schema.ResourceData, m interface{}) error ikePhase2MapToReturn["ike_p2_pfs_dh_grp"] = v } if v := ikePhase2Map["ike-p2-rekey-time"]; v != nil { - ikePhase2MapToReturn["ike_p2_rekey_time"] = v + ikePhase2MapToReturn["ike_p2_rekey_time"] = strconv.Itoa(int(v.(float64))) } _, ikePhase2InConf := d.GetOk("ike_phase_2") defaultIkePhase2 := map[string]interface{}{"encryption_algorithm": "aes-128", "data_integrity": "sha1"} @@ -673,7 +673,7 @@ func readManagementVpnCommunityStar(d *schema.ResourceData, m interface{}) error } } _ = d.Set("override_vpn_domains", overrideVpnDomainsListToReturn) - }else{ + } else { _ = d.Set("override_vpn_domains", nil) } @@ -726,7 +726,7 @@ func readManagementVpnCommunityStar(d *schema.ResourceData, m interface{}) error } } _ = d.Set("shared_secrets", sharedSecretsListToReturn) - }else{ + } else { _ = d.Set("shared_secrets", nil) } @@ -749,7 +749,7 @@ func readManagementVpnCommunityStar(d *schema.ResourceData, m interface{}) error if obj["name"] != nil { internalGatewayName = obj["name"].(string) } - }else if val, ok := v.(string); ok { + } else if val, ok := v.(string); ok { internalGatewayName = val } granularEncryptionState["internal_gateway"] = internalGatewayName @@ -762,7 +762,7 @@ func readManagementVpnCommunityStar(d *schema.ResourceData, m interface{}) error if obj["name"] != nil { externalGatewayName = obj["name"].(string) } - }else if val, ok := v.(string); ok { + } else if val, ok := v.(string); ok { externalGatewayName = val } granularEncryptionState["external_gateway"] = externalGatewayName @@ -789,7 +789,7 @@ func readManagementVpnCommunityStar(d *schema.ResourceData, m interface{}) error ikePhase1State["diffie_hellman_group"] = v } if v := ikePhase1Show["ike-p1-rekey-time"]; v != nil { - ikePhase1State["ike_p1_rekey_time"] = v + ikePhase1State["ike_p1_rekey_time"] = strconv.Itoa(int(v.(float64))) } granularEncryptionState["ike_phase_1"] = ikePhase1State } @@ -810,14 +810,14 @@ func readManagementVpnCommunityStar(d *schema.ResourceData, m interface{}) error ikePhase2State["ike_p2_pfs_dh_grp"] = v } if v := ikePhase2Show["ike-p2-rekey-time"]; v != nil { - ikePhase2State["ike_p2_rekey_time"] = v + ikePhase2State["ike_p2_rekey_time"] = strconv.Itoa(int(v.(float64))) } granularEncryptionState["ike_phase_2"] = ikePhase2State } granularEncryptionsState = append(granularEncryptionsState, granularEncryptionState) } _ = d.Set("granular_encryptions", granularEncryptionsState) - }else{ + } else { _ = d.Set("granular_encryptions", nil) } } @@ -1055,7 +1055,7 @@ func updateManagementVpnCommunityStar(d *schema.ResourceData, m interface{}) err ikePhase1Payload["diffie-hellman-group"] = v.(string) } if v, ok := d.GetOk("granular_encryptions." + strconv.Itoa(i) + ".ike_phase_1.ike_p1_rekey_time"); ok { - ikePhase1Payload["ike-p1-rekey-time"] = v.(int) + ikePhase1Payload["ike-p1-rekey-time"] = v.(string) } payload["ike-phase-1"] = ikePhase1Payload } @@ -1074,7 +1074,7 @@ func updateManagementVpnCommunityStar(d *schema.ResourceData, m interface{}) err ikePhase2Payload["ike-p2-pfs-dh-grp"] = v.(bool) } if v, ok := d.GetOk("granular_encryptions." + strconv.Itoa(i) + ".ike_phase_2.ike_p2_rekey_time"); ok { - ikePhase2Payload["ike-p2-rekey-time"] = v.(int) + ikePhase2Payload["ike-p2-rekey-time"] = v.(string) } payload["ike-phase-2"] = ikePhase2Payload } @@ -1082,7 +1082,7 @@ func updateManagementVpnCommunityStar(d *schema.ResourceData, m interface{}) err } vpnCommunityStar["granular-encryptions"] = granularEncryptionsPayload } - }else{ + } else { granularEncryptions, _ := d.GetChange("granular_encryptions") oldValues := granularEncryptions.([]interface{}) if len(oldValues) > 0 { diff --git a/website/checkpoint.erb b/website/checkpoint.erb index dff92a60..1ac8efb2 100644 --- a/website/checkpoint.erb +++ b/website/checkpoint.erb @@ -493,6 +493,15 @@ > checkpoint_management_radius_group + > + checkpoint_management_gaia_best_practice + + > + checkpoint_management_dynamic_global_network_object + + > + checkpoint_management_global_assignment + @@ -853,6 +862,15 @@ > checkpoint_management_radius_group + > + checkpoint_management_gaia_best_practice + + > + checkpoint_management_dynamic_global_network_object + + > + checkpoint_management_global_assignment + diff --git a/website/docs/d/checkpoint_management_cloud_services.html.markdown b/website/docs/d/checkpoint_management_cloud_services.html.markdown index 3391e46d..8cf1f08a 100644 --- a/website/docs/d/checkpoint_management_cloud_services.html.markdown +++ b/website/docs/d/checkpoint_management_cloud_services.html.markdown @@ -20,12 +20,19 @@ data "checkpoint_management_cloud_services" "example" {} The following arguments are supported: * `status` - Status of the connection to the Infinity Portal. -* `connected_at` - The time of the connection between the Management Server and the Infinity Portal. connected_at is documented below. +* `connected_at` - The time of the connection between the Management Server and the Infinity Portal. `connected_at` is documented below. * `management_url` - The Management Server's public URL. +* `tenant_id` - Tenant ID of Infinity Portal. +* `gateways_onboarding_settings` - Gateways on-boarding to Infinity Portal settings. `gateways_onboarding_settings` is documented below. `connected_at` supports the following: * `iso_8601` - Date and time represented in international ISO 8601 format. * `posix` - Number of milliseconds that have elapsed since 00:00:00, 1 January 1970. + +`gateways_onboarding_settings` supports the following: +* `connection_method` - Indicate whether Gateways will be connected to Infinity Portal automatically or only after policy installation. +* `participant_gateways` - Which Gateways will be connected to Infinity Portal. +* `specific_gateways` - Collection of targets identified by Name or UID. ## How To Use Make sure this command will be executed in the right execution order. diff --git a/website/docs/index.html.markdown b/website/docs/index.html.markdown index 1a88afe9..b2209458 100644 --- a/website/docs/index.html.markdown +++ b/website/docs/index.html.markdown @@ -90,17 +90,17 @@ The following arguments are supported: the `CHECKPOINT_TIMEOUT` environment variable. Default value is `10` seconds. * `port` - (Optional) Port used for connection to the API server. This can also be defined via the `CHECKPOINT_PORT` environment variable. Default value is `443`. -* `session_file_name` - (Optional) Session file name used to store the current session id. this can also be defined via - the `CHECKPOINT_SESSION_FILE_NAME` environment variable. default value is `sid.json`. * `proxy_host` - (Optional) Proxy host used for proxy connections. this can also be defined via the `CHECKPOINT_PROXY_HOST` environment variable. * `proxy_port` - (Optional) Proxy port used for proxy connections. this can also be defined via the `CHECKPOINT_PROXY_PORT` environment variable. * `session_name` - (Optional) Session unique name. this can also be defined via the `CHECKPOINT_SESSION_NAME` environment variable. +* `session_description` - (Optional) A description of the session's purpose. this can also be defined via the `CHECKPOINT_SESSION_DESCRIPTION` environment variable. +* `session_file_name` - (Optional) Session file name used to store the current session id. this can also be defined via + the `CHECKPOINT_SESSION_FILE_NAME` environment variable. default value is `sid.json`. * `cloud_mgmt_id` - (Optional) Smart-1 Cloud management UID. this can also be defined via the `CHECKPOINT_CLOUD_MGMT_ID` environment variable. -* `session_description` - (Optional) A description of the session's purpose. this can also be defined via the `CHECKPOINT_SESSION_DESCRIPTION` environment variable. ## Authentication @@ -304,7 +304,7 @@ $ mv submit_session $GOPATH/src/github.com/terraform-providers/terraform-provide $ submit_session "SESSION_UID" ``` -if no session_uid is provided it will submit the current session. +if no `session_uid` is provided it will submit the current session. ### Install Policy @@ -353,4 +353,13 @@ $ terraform import checkpoint_management_host.host 9423d36f-2d66-4754-b9e2-e7f44 ``` For more information about `terraform import` command, please -refer [here](https://www.terraform.io/docs/import/usage.html). \ No newline at end of file +refer [here](https://www.terraform.io/docs/import/usage.html). + +## Tips & Best Practices + +This section describes best practices for working with the Check Point provider. + +* Use one or more dedicated users for provider operations to make sure minimum permissions are granted. +* Keep on object name uniqueness in your environment. +* Use object name when reference to an object (avoid use of object UID). +* Use post apply scripts (e.g. publish, install policy) to run actions after apply your changes. Terraform runs in parallel and because of that we can't predict the order of when changes will execute so running post apply scripts will ensure to run last after all changes submitted successfully.