The Terraform configuration must be valid before initialization so that
Terraform can determine which modules and providers need to be installed.
│ Error: Module is incompatible with count, for_each, and depends_on
│ 
│   on modules/region-hub/main.tf line 16, in module "checkpoint":
│   16:     module.vpcs
│ 
│ The module at module.region_europe-west2.module.checkpoint.module.checkpointsw-cloudguardiaas
│ is a legacy module which contains its own local provider configurations, and so calls to it may
│ not use the count, for_each, or depends_on arguments.
│ 
│ If you also control the module
│ "git::https://github.com/CheckPointSW/CloudGuardIaaS.git?ref=72d58cf//terraform/gcp/high-availability",
│ consider updating this module to instead expect provider configurations to be passed by its
│ caller.

This is the piece that breaks the modern module support.

Should create a versions.tf instead, something like this: https://github.com/terraform-google-modules/terraform-google-network/blob/a93fd8ba6075dff58abdd3dbcb4487c29abc7168/modules/vpc/versions.tf#L17-L24

Hi,

In module:
https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/terraform/aws/management

Problem adding multiple Admin CIDR not allowed in for management module.

Expected:
Add an array of CIDR's to admin_cidr

Current:
Only one CIDR allowed so if have more enabling insecure 0.0.0.0/0 , this would mean to secure would need to limit this and then afterwards additionally add other CIDR

In file https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/terraform/aws/management/main.tf
It allows for a block of CIDR
cidr_blocks = [var.admin_cidr]
but the variable is only allowed to be once CIDR.
File: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/terraform/aws/management/variables.tf
variable "admin_cidr" { type = string description = "(CIDR) Allow web, ssh, and graphical clients only from this network to communicate with the Security Management Server" default = "0.0.0.0/0" }

If you have multiple Office CIDR you want to connect you have to add them after wards.
Can this be change to a list(string) instead of a string.

Feel free to ping me at Yaakov Goodman in Checkpoint

Hi,

We're looking to use terraform to deploy this marketplace solution (CloudGuard Network Security for Gateway Load Balancer - BYOL):
https://aws.amazon.com/marketplace/pp/prodview-tq2l5nyunuesu?ref_=srh_res_product_title#pdp-overview

Is this supported from the list of images available at https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/aws ?

Hi

From guide of Terraform, there should be no providers in modules, but there're many such things in the code that cause errors, can you remove them?

https://developer.hashicorp.com/terraform/language/modules/develop/providers

"Provider configurations can be defined only in a root Terraform module."

"A module intended to be called by one or more other modules must not contain any provider blocks."

Scott

Hello!

The Terraform docs for the azurerm_virtual_machine_scale_set resource indicate that this resource has been deprecated in favor of the more specific azurerm_linux_virtual_machine_scale_set or azurerm_windows_virtual_machine_scale_set.

Are there plans to update this to the linux VMSS resource?

I'm currently working in a private repo that is spinning up a Check Point VMSS using the linux resource type but am having trouble getting the cloud-init.sh to run due to differences in how the custom_data values are fed in. In the linux_virtual_machine_scale_set resource type, the custom_data must have base64encode applied to it versus azurerm_virtual_machine_scale_set not needing it. I believe this is where my issues with not being able to successfully run the cloud-init.sh script originate.

I'm looking into switching my existing repo to using the azurerm_virtual_machine_scale_set resource as used by Check Point and imagine I'll end up doing that, but figured I'd submit this issue in the meantime since I imagine this will need to be done sooner or later.

Also, this is my first time submitting an issue on a public repo so please let me know if I should be doing anything differently!

Warning: "network_security_group_id": [DEPRECATED] Use the azurerm_subnet_network_security_group_association resource instead.

Hi,

I'm calling management module from my code , however getting below error while calling master version. It looks like providers block doesn't work with count parameter .

As we are using aws provider, once I commented the providers block from main.tf in management module
and removed provider block from main.tf ( cme-iam-role module) and all works fine.

Should I raise a PR or is there a fix for this.

module "cme_iam_role" {
count = local.create_iam_role ? 1 : 0
source = "../cme-iam-role"
//providers = {
// aws = aws
// }

Error message:

Module "cme_iam_role" cannot be used with count because it contains a nested
provider configuration for "aws", at
CloudGuardIaaS/terraform/aws/cme-iam-role/main.tf:1,10-15.

This module can be made compatible with count by changing it to receive all of
its provider configurations from the calling module, by using the "providers"
argument in the calling module block

vmss-new-vnet creates a nsg on eth0 of the scale set.
vmss-existing-vnet doesn't do that however a nsg is required on the subnet or nic by the standard public load balancer in order to allow traffic to the scale set.

Any reason for this? It took me a while to investigate what was wrong so I would either:

• add nsg creation to vmss-new-vnet
• document the requirement for an nsg in README

Hi,
After lots of troubleshooting FW Gateway version deployed last week, today running the terraform the version of the AWS AMI in the launch configuration showed a downgraded version, but didn't know to update the instances until you refresh or autoscale.

Expected:
Able to indicate which AWS AMI to use. Not not overwrite current AWS AMI version of Gateway FW.
Allowing either the following:
AMI : as variable
AMI : as dynamic from https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml

Current:
The autoscale goes to module for ami's and get's the AMI, and will update the launchconfiguration template, but no version will change unless an auto-scale or refresh is done.
terraform/aws/autoscale/main.tf
36: image_id = module.amis.ami_id

Details:
Last week when deploying FW gateway autoscaling it installed version: R80.40-294.943, this week when running terraform it deployed R80.40-294.936 to only the launch configuration.

As it seems there is some issue in this version R80.40-294.943, didn't know to refresh to the older version. (As shown in https://cgi-cfts.s3.amazonaws.com/utils/amis.yaml is now pointing to R80.40-294.936 )

Not Working: R80.40-294.943 the AWS LB was showing unhealthy instances . Though the NAT looked ok in the SmartConsole, In logs showed the following error
IP routing failed (bridge routing failure)

Is there a site where can see which version is a working version or if there are issues with the version and should downgrade.

-Thanks

chkp-yaakovg

Dear Developer,

For readability and Search Engine Optimization (SEO) it would be great if you could do the followings:

• Please provide more than 8 words in the "About" field

│ Warning: Argument is deprecated
│
│ with azurerm_lb_backend_address_pool.frontend-lb-pool,
│ on main.tf line 111, in resource "azurerm_lb_backend_address_pool" "frontend-lb-pool":
│ 111: resource_group_name = module.common.resource_group_name
│
│ This field is no longer used and will be removed in the next major version of the Azure Provider
│
│ (and 12 more similar warnings elsewhere)
╵
╷
│ Warning: Deprecated attribute
│
│ on ../modules/vnet/main.tf line 48, in resource "azurerm_route_table" "frontend":
│ 48: address_prefix = azurerm_subnet.subnet[0].address_prefix
│
│ The attribute "address_prefix" is deprecated. Refer to the provider documentation for details.
│
│ (and 3 more similar warnings elsewhere)

Hi,

Deploying the Azure Ckp SMS and Gateway in Azure platform with the mainTemplate.json template I received an error:

{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"BadRequest","message":"{\r\n \"error\": {\r\n \"code\": \"InvalidContentLink\",\r\n \"message\": \"Unable to download deployment content from 'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/marketplace-management/nestedtemplates/vnet-1-subnet-existing.json'. The tracking Id is 'xxxx-xxxx-xxxx-xxxx-xxxx'. Please see https://aka.ms/arm-deploy for usage details.\"\r\n }\r\n}"}]}

This is because in this line is referring to a template that is moved to other location:

This template is no longer reachable: https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/marketplace-management/nestedtemplates/vnet-1-subnet-existing.json

and its moved from

CheckPointSW/CloudGuardIaaS/master/azure/templates/marketplace-management/nestedtemplates

to

CheckPointSW/CloudGuardIaaS/blob/master/azure/templates/nestedtemplates/vnet-1-subnet-existing.json

For this reason this template is producing an error in the download of one of the dependencies (vnet-1-subnet-existing.json).

Can you please help us to fix the link in order to succeed in the installation?

Thanks in advance for you help!

Hi,
Trying to deploy the 'high-availability-new-vnet' but the apply hangs on interface creation:

azurerm_network_interface.nic1[1]: Still creating... [6m30s elapsed]
azurerm_network_interface.nic1[0]: Still creating... [6m30s elapsed]

I have tried this on eastus,westus and northeurope - same issue. I have had it running for 35 minutes before i hard canceled it. Anyone else with this issue ? -- I am unable to figure out what is wrong.

blacklist specific ENIs

currently version of this file has following lines:

chkconfig --add autoprovision
service autoprovision start

But this caused problem in my environment, I found this error in log file /var/log/aws-user-data.log

Running service autoprovision start...
error reading information on service autoprovision: No such file or directory

The workaround worked for me was just remove these 2 lines, cos I think the CME was already installed successfully and the service is running properly. But I'm not sure this is recommended officially so I would like to ask your help to confirm and update this file accordingly.

Update Admin Guide Link in terraform\gcp\high-availability\README.md

"See Check Point's documentation for Cluster High Availability (HA) [here]"

Correct Link - https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_IaaS_HighAvailabilty_for_GCP/Content/Topics-GCP-HA/CP-CloudGuard-IaaS-HA-for-GCP.htm

Current Link - (https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_IaaS_HighAvailabilty_for_GCP/Content/Topics/Check_Point_CloudGuard_IaaS_High_Availability_for_GCP.htm?tocpath=Check%20Point%20CloudGuard%20IaaS%20High%20Availability%20for%20GCP%7C_____0)

Hi,

thank you for fixing the earlier issue, today i was testing the code and found inbound port rule is still missing and because of that i am unable to access firewall external IP from internet. I had to manually create a NSG for inbound port rule to get firewall access and similar problem for outbound port rule.

The boot script of the VM in the GCP deployment manager template creates a hardcode list of static routes to RFC1918 subnets on the internal network.
This is undesirable for deployments with multiple internal interfaces.
Proposal: add a variable 'privateStaticRoutes' with a space separate list of subnets to configure at boot time. Each subnet may optionally be suffixed with :<interface-number> to specify an alternative interface (than internalInterfaceNumber).
E.g.

privateStaticRoutes: 10.0.0.0/8 10.1.0.0/16:2 10.2.0.0/16:3

Please let me know if this is an acceptable proposal, then I'll create a PR for it.

Hi, anyone can give me some advice about this.
I cannot solve the error of ClusterXL: "Member state: ClusterXL inactive or machine is down", after I created the cluster from SmartConsole.
Detailed info in Problem Notification Table was like, Fullsync: problem, routed: problem, others are OK.
I can ssh to my cluster members. Don't know if this is the problem, but I found that I can only see ipconfig1 of nic_vip(10.0.1.5), cannot even ping the other ip-configuration(10.0.1.7).

In the Terraform scripts:

• vmss-existing-vnet
• vmss-new-vnet

The variable "availability_zones_num" in terraform.tfvars accepts only 1 digit, being 0, 1, 2 or 3.
If you fill in one of these numbers, the scale set will only be deployed in that zone.

Azure expects a list of zones where the scale set should be deployed.
My current workaround was to comment out in main.tf the line that states "zones = var.availability_zones_num".
And replace it with " zones = ["1", "2", "3"] ", only then will the scale set be installed as multi-zone.

Hi,

I'm using the management-new-vnet templates and with the destroy instruction terraform fails to delete network interface due to Nic in use.

module.vnet.azurerm_subnet_network_security_group_association.security_group_frontend_association: Still destroying... [id=/subscriptions/458e4a11-f79c-4246-9b72-...ent/subnets/tf-nva-cpmanagement-subnet, 1m20s elapsed]
module.network-security-group.azurerm_network_security_rule.security_rule[1]: Still destroying... [id=/subscriptions/458e4a11-f79c-4246-9b72-...nagement-nsg/securityRules/GAiA-portal, 1m20s elapsed]
module.network-security-group.azurerm_network_security_rule.security_rule[1]: Destruction complete after 1m22s
module.vnet.azurerm_subnet_network_security_group_association.security_group_frontend_association: Destruction complete after 1m27s
module.network-security-group.azurerm_network_security_rule.security_rule[3]: Still destroying... [id=/subscriptions/458e4a11-f79c-4246-9b72-...ement-nsg/securityRules/SmartConsole-2, 1m20s elapsed]
module.network-security-group.azurerm_network_security_rule.security_rule[3]: Still destroying... [id=/subscriptions/458e4a11-f79c-4246-9b72-...ement-nsg/securityRules/SmartConsole-2, 1m30s elapsed]
module.network-security-group.azurerm_network_security_rule.security_rule[3]: Destruction complete after 1m31s
module.network-security-group.azurerm_network_security_group.nsg: Destroying... [id=/subscriptions/458e4a11-f79c-4246-9b72-a66643297f09/resourceGroups/tf-resource-group-cpmanagement/providers/Microsoft.Network/networkSecurityGroups/tf-resource-group-cpmanagement-nsg]
module.network-security-group.azurerm_network_security_group.nsg: Still destroying... [id=/subscriptions/458e4a11-f79c-4246-9b72-...ups/tf-resource-group-cpmanagement-nsg, 10s elapsed]
module.network-security-group.azurerm_network_security_group.nsg: Destruction complete after 14s
╷
│ Error: deleting Network Interface: (Name "tf-nva-cpmanagement-eth0" / Resource Group "tf-resource-group-cpmanagement"): network.InterfacesClient#Delete: Failure sending request: StatusCode=400 -- Original Error: Code="NicInUse" Message="Network Interface /subscriptions/458e4a11-f79c-4246-9b72-a66643297f09/resourceGroups/tf-resource-group-cpmanagement/providers/Microsoft.Network/networkInterfaces/tf-nva-cpmanagement-eth0 is used by existing resource /subscriptions/458e4a11-f79c-4246-9b72-a66643297f09/resourceGroups/TF-RESOURCE-GROUP-CPMANAGEMENT/providers/Microsoft.Compute/virtualMachines/tf-nva-cpmanagement. In order to delete the network interface, it must be dissociated from the resource. To learn more, see aka.ms/deletenic." Details=[]
│

Hi

Is it this a normal behavior that each time we do change or NOT change but we do an apply, it destroys the GW and disk and recreates a new one ?

I have requirement to create checkpoint firewall and vpn along with azure route server.

I seen 4 different module and not sure which one is for what ? Can you add more details on the readme

Hello,

while there's already a Terraform template for deploying VMSS in existing Azure VNets, no such thing exists for HA availability set/zones. Would it be possible to publish these as it would be very helpful for upgrading and migrating from existing deployments.

Thanks,
Nikos

Currently Tap Lambda only gets primary ENIs from each instance available for VPC traffic mirroring. Need Lambda to scan for all available interfaces

Azure > Terraform:
For the following two templates in Azure:

• vmss-new-vnet
• vmss-existing-vnet

Would it be possible to create a variable for x-chkp-ip-address?
And add it as a variable to be filled in the terraform.tfvars?

I would think these would be the required changes (please verify):
In main.tf, modify to:

tags = var.management_interface == "eth0"?{
x-chkp-management = var.management_name,
x-chkp-template = var.configuration_template_name,
x-chkp-ip-address = var.x-chkp-ip-address,
x-chkp-management-interface = var.management_interface,
x-chkp-management-address = var.management_IP,
x-chkp-topology = "eth0:external,eth1:internal",
x-chkp-anti-spoofing = "eth0:false,eth1:false",
x-chkp-srcImageUri = "noCustomUri",
}:{
x-chkp-management = var.management_name,
x-chkp-template = var.configuration_template_name,
x-chkp-ip-address = var.x-chkp-ip-address,
x-chkp-management-interface = var.management_interface,
x-chkp-topology = "eth0:external,eth1:internal",
x-chkp-anti-spoofing = "eth0:false,eth1:false",
x-chkp-srcImageUri = "noCustomUri",
}
}

In variables.tf add:
variable "x-chkp-ip-address"{
description = "Define how to manage the Check Point Scale set, from it's ILPIP or Private IP"
type = string
default = "private"
}

In terraform.tfvars add:
x-chkp-ip-address = "PLEASE ENTER public or private" # Fill in "public" or "private"

Thanks!

Hello,

Would it be easy to provide us with the Terraform template for SMS deployment on Azure?

Thanks,
Vangelis

The Azure HA test script (azure/misc/azure_ha_test.py) no longer works after in-place upgrade to R81.10 (following sk177714).

[Expert@hostname:0]# /opt/CPsuite-R81.10/fw1/scripts/azure_ha_test.py
Image version is: azure_blink_image_Check_Point_ignis_main_T335_135854
Error:
list index out of range

This is because the code to extract branch and take_number variables from image_version does not work with this image name:

Hardcoding branch and take_number in the script allows the script to run, but this is not a scalable solution.

Line 103 needs to have a "," comma separator on the list, this is the master branch and is dropping the error

Error: Missing item separator
│
│ On ../modules/common/instance_type/main.tf line 104: Expected a comma to mark the beginning of the next item.

I've been deploying CheckPoint HA clusters in GCP for about 2 years and just learned about the Terraform option. Everything is quite clear except for the 'image_name' variable. The documentation mentions this link:

https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/gcp/deployment-packages/ha-byol/images.py

But I've tried both the key and values from the IMAGES dictionary and get this error:

│ Error: Error in function call
│
│   on locals.tf line 10, in locals:
│   10:   validate_image_name = length(regexall(local.regex_validate_image_name, var.image_name)) > 0 ? 0 : index(split("-", var.image_name), "INVALID IMAGE NAME")
│     ├────────────────
│     │ var.image_name is "check-point-r8040-byol-294-759-v20201202"
│
│ Call to function "index" failed: item not found.

Hi,

Can you please update the VMSS definition for the latest updates regarding the resource definition in terraform, just receive this log during terraform run:

Warning: Deprecated Resource
│
│ with module.vmss.azurerm_virtual_machine_scale_set.vmss,
│ on .terraform/modules/vmss/modules/vmss-cldgd/main.tf line 300, in resource "azurerm_virtual_machine_scale_set" "vmss":
│ 300: resource "azurerm_virtual_machine_scale_set" "vmss" {
│
│ The 'azurerm_virtual_machine_scale_set' resource has been superseded by the
│ 'azurerm_linux_virtual_machine_scale_set' and
│ 'azurerm_windows_virtual_machine_scale_set' resources. Whilst this resource
│ will continue to be available in the 2.x and 3.x releases it is
│ feature-frozen for compatibility purposes, will no longer receive any
│ updates and will be removed in a future major release of the Azure
│ Provider.

Thanks in advance,

António Oliveira

File Path:
azure\templates\marketplace-single\mainTemplate.json

Full error here:

11/23/2020, 1:08:09 PM - error - Deployment template validation failed: 'The template resource '_artifactsLocation' at line '1' and column '3981' is not valid: The language expression property 'templateLink' doesn't exist, available properties are 'template, templateHash, parameters, mode, provisioningState'.. Please see https://aka.ms/arm-template-expressions for usage details.'.

Looks like the issue is with the "templateLink" on line 217

We would like to make use of the modules inside this repository but on the surface I am concered by the code formatting and non standard validation of inputs.

This repo probably needs formatting, linting, document generation and validation applied to it. Then a bit of general code cleanup.

Potential IaC pipeline

Could make use something simple like pre-commit to format, lint, generate documentation and validation. You can run it client side or server side with pre-commit run --all-files.

Example .pre-commit-config.yaml file:

fail_fast: true
repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.4.0
    hooks:
      # Git style
      - id: check-added-large-files
      - id: check-merge-conflict
      - id: check-vcs-permalinks
      - id: forbid-new-submodules
      - id: no-commit-to-branch

      # Common errors
      - id: end-of-file-fixer
      - id: trailing-whitespace
        args: [--markdown-linebreak-ext=md]
      - id: check-merge-conflict

      # Cross platform
      - id: check-case-conflict
      - id: mixed-line-ending
        args: [--fix=lf]

      # Security
      - id: detect-aws-credentials
        args: ["--allow-missing-credentials"]

      - id: detect-private-key

  - repo: https://github.com/adrienverge/yamllint.git
    rev: v1.29.0
    hooks:
      - id: yamllint

  - repo: https://github.com/jumanjihouse/pre-commit-hooks
    rev: 3.0.0
    hooks:
      - id: shfmt
        args: ["-l", "-i", "2", "-ci", "-sr", "-w"]
      - id: shellcheck

  # Dockerfile linter
  - repo: https://github.com/hadolint/hadolint
    rev: v2.12.1-beta
    hooks:
      - id: hadolint
        args: [
            "--ignore",
            "SC2086" # Double quote to prevent globbing and word splitting
          ]

  - repo: https://github.com/antonbabenko/pre-commit-terraform
    rev: "v1.77.0" # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
    hooks:
      - id: terraform_fmt
      - id: terragrunt_fmt
      - id: terraform_docs
        args:
          - --hook-config=.terraform-doc.yml # Valid UNIX path. I.e. ../TFDOC.md or docs/README.md etc.
          - --hook-config=--add-to-existing-file=false # Boolean. true or false
          - --hook-config=--create-file-if-not-exist=true # Boolean. true or false
          - --hook-config=--output-file=README.md"
          - --hook-config=--recursive
      - id: terraform_tflint
      - id: terraform_checkov
        args:
          - --args=--quiet
          - --args=--skip-check CKV_SECRET_6
          - --args=--skip-path .terragrunt-cache
          - --args=--skip-path .terraform
          - --args=--skip-path .git
          - --args=--skip-path .profile
          - --args=--skip-path test
      - id: terraform_tfsec
        args:
          - >
            --args=--exclude-downloaded-modules --no-module-downloads
            --concise-output
            -e aws-ecs-enable-container-insight

.tflint.hcl

plugin "aws" {
  enabled = true
  version = "0.30.0"
  source  = "github.com/terraform-linters/tflint-ruleset-aws"
}

.yamllint

---
# Based on ansible-lint config
extends: default

ignore: |
  **/templates/*.yaml

rules:
  braces:
    max-spaces-inside: 1
    level: error
  brackets:
    max-spaces-inside: 1
    level: error
  colons:
    max-spaces-after: -1
    level: error
  commas:
    max-spaces-after: -1
    level: error
  comments: disable
  comments-indentation: disable
  document-start: disable
  empty-lines:
    max: 3
    level: error
  hyphens:
    level: error
  indentation: disable
  key-duplicates: enable
  line-length: disable
  new-line-at-end-of-file: disable
  new-lines:
    type: unix
  trailing-spaces: disable
  truthy: disable

Variable Validation

Variable validation has been part of Terraform since 0.13 - https://developer.hashicorp.com/terraform/language/values/variables#custom-validation-rules

There seems to be a lot of examples like the following:

We have regex validation occuring here: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/terraform/aws/autoscale-gwlb/locals.tf#L23

Which should probably be applied here: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/terraform/aws/autoscale-gwlb/variables.tf#L89

Code formatting

These types of issues are throughout the code base.

Poor formatting

Random indentation:
https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/terraform/aws/cme-iam-role-gwlb/main.tf#L94

Should probably consistenly add spaces between resources

With space
https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/terraform/aws/autoscale-gwlb/main.tf#L134

With no space
https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/terraform/aws/autoscale-gwlb/main.tf#L141

can you please add to topics of the repo:
cloudguard-iaas azure aws gcp azure-stack cft terraform deploy operate

Per the documentation at
https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/gcp/high-availability#inputs

The input variables, "service_account_path" or "project" are "not" required, but you cannot execute with a plan that omits these variables:

If I have a tfvars with service_account_path = "" or, without service_account_path at all:

>terraform plan -var-file=terraform-sandbox.tfvars
random_string.generated_password: Refreshing state... [id=AxEbI9pi8L0b]

Error: Invalid function argument

  on main.tf line 2, in provider "google":
   2:   credentials = file(var.service_account_path)
    |----------------
    | var.service_account_path is ""

Invalid value for "path" parameter: failed to read ..

If I have no project variable:

Error: project: required field is not set

  on variables.tf line 32, in data "google_compute_regions" "available_regions":
  32: data "google_compute_regions" "available_regions" {

Hi,

Can you add support for creating mds-primary, mds-secondary and mds-logserver in CloudGuardIaaS/terraform/azure/?

Thanks!
Jim

This is in reference to deploying Check Point CloudGuard IaaS High Availability solution into an existing Vnet in Azure using the following repository:

https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/azure/high-availability-existing-vnet

It does not appear terraform/azure/high-availability-existing-vnet/cloud-init.sh that runs python3 /etc/cloud_config.py to configure SIC during boot is working.

I am unable to establish SIC with each the gateway post-deployment. I need to manually reset SIC on each gateway before I can establish SIC.

Hello,
Currently management server from "management-new-vnet" doesn't use some parameters from terraform.tfvars file like admin_shell or mgmt_enable_api.
I suppose any of it is configured by blink, and it is disabled for the management server. I tried to change "is_blink" to true, but in this case the server is not working.

When using the deployment module for GCP, such as https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/gcp/high-availability
terraform plan/apply is not idempotent:

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # google_compute_address.primary_cluster_ip_ext_address must be replaced
-/+ resource "google_compute_address" "primary_cluster_ip_ext_address" {
      ~ address            = "35.225.34.234" -> (known after apply)
      ~ creation_timestamp = "2021-04-15T13:46:37.978-07:00" -> (known after apply)
      ~ id                 = "projects/gce-infrastructure-sandbox/regions/us-central1/addresses/tf-checkpoint-ha-primary-cluster-address-9a204" -> (known after apply)
      ~ name               = "tf-checkpoint-ha-primary-cluster-address-9a204" -> (known after apply) # forces replacement
      ~ network_tier       = "PREMIUM" -> (known after apply)
      ~ project            = "gce-infrastructure-sandbox" -> (known after apply)
      + purpose            = (known after apply)
      ~ self_link          = "https://www.googleapis.com/compute/v1/projects/gce-infrastructure-sandbox/regions/us-central1/addresses/tf-checkpoint-ha-primary-cluster-address-9a204" -> (known after apply)
      + subnetwork         = (known after apply)
      ~ users              = [] -> (known after apply)
        # (2 unchanged attributes hidden)
    }

Steps to reproduce:
Execute terraform apply and create the resources initially.
Run terraform plan or apply again; it suggests to destroy/recreate the resources.

This is likely due to the use of uuid() functions: https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/terraform/gcp/high-availability/main.tf#L23

Without idempotency, this makes it difficult to use on platforms like terraform enterprise/cloud, or in general, running terraform plan to see if there's any expected changes if this was embedded with other terraform scripts.

Hi all. I'm attempting to deploy the following Azure ARM - https://github.com/CheckPointSW/CloudGuardIaaS/blob/master/azure/templates/marketplace-ha/mainTemplate.json, and I'm getting the following error:
{"code":"InvalidContentLink","message":"Unable to download deployment content from 'https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/'. The tracking Id is '08f2ae23-f240-4f7a-9196-dd870b0a94df'. Please see https://aka.ms/arm-deploy for usage details."}

I followed the instructions in the README.MD but perhaps I'm missing something. Any help would be greatly appreciated! Thanks.

Are any new repository to get amis_url inside amis module?

variable "amis_url" {
type = string
description = "URL to amis.json"
default = "https://s3.amazonaws.com/CloudFormationTemplate/amis.json" => returning Access Denied!!
}

I've changed the marketplace-ha template to add a Public IP Prefix, I don't want randomly assigned Public IP Addresses. I've also updated resource names to match my customers naming standard and also make sure that the naming is a bit more descriptive. If I deploy the template manually is there something that can go wrong that would affect support, licensing or other?

I'm a bit confused by the first declared resource in the template, an empty nested deploy. Is the deployment ID something that's used during support requests or something like that?

    {
      "apiVersion": "2020-06-01",
      "name": "pid-7fbd7ca2-a62c-5cb5-9b28-3900ca6dba8d",
      "type": "Microsoft.Resources/deployments",
      "properties": {
        "mode": "Incremental",
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "resources": []
        }
      }
    }

Azure VMSS Terraform template should preferably have an option to manage the instances on their public IP.

x-chkp-ip-address = "public"

In Modules\Common\variables.tf

Disk size is hardcoded into the code. In 2017 Azure supported up to 4TB, but now 32TB disks are supported.
Raise limit or adapt code?

variable "disk_size" {
description = "Storage data disk size size(GB).Select a number between 100 and 3995"
type = string
}

resource "null_resource" "disk_size_validation" {
// Will fail if var.disk_size is less than 100 or more than 3995
count = tonumber(var.disk_size) >= 100 && tonumber(var.disk_size) <= 3995 ? 0 : "variable disk_size must be a number between 100 and 3995"
}

On Azure Virtual Machines and Virtual Machine Scale Sets a plan block is required when using an existing image like from checkpoint.

Here is the provider documentation:
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_virtual_machine_scale_set#plan

When the plan block is not supplied with the image Azure will report the error

Creating a virtual machine from Marketplace image requires Plan information in the request.

Once the plan block was supplied like this the virtual machines deployed correctly.

plan {
    name      = "sg-byol"
    publisher = "checkpoint"
    product   = "check-point-cg-r8110"
  }

I used the the existing vmss-existing-vnet template and had several failed deployments until adding the plan block with those values. The name seems to be the license name which isn't exactly intuitive, and I think it should be made more clear in the documentation going forward. Thanks.

Hello Checkpoint,

Is there a plan to have terraform code to deploy MDS in Azure? Or can you please suggest tweaks to existing code?

I have tried to set some variables in the terraformmanagement deployment with values that I can see in the ARM templates in this repo. For example:

variable "installation_type" {
  description = "Installation type"
  type        = string
  default     = "mds-primary" 
}

I also added it to the variables.tf of the common module:

locals { // locals for 'installation_type' allowed values
  installation_type_allowed_values = [
    "cluster",
    "vmss",
    "management",
    "mds-primary"
  ]
  // will fail if [var.installation_type] is invalid:
  validate_installation_type_value = index(local.installation_type_allowed_values, var.installation_type)
}

And also update the version

variable "template_version" {
  description = "Template version. It is recommended to always use the latest template version"
  type        = string
  default     = "20230124"
}

But of course it did not work 😅, I think I am missing more than just those variables. It was worth a try before opening this issue.

[Expert@cp-mds-vpndmz:0]# mdsconfig
bash: mdsconfig: command not found

[Expert@cp-mds-vpndmz:0]# mdsstart_start 
/bin/mdsstart_start: line 11: /scripts/mdsstart: No such file or directory

Please let me know if I should open a support ticket instead.

Many thanks.

Hello.
When I am running "high-availability-new-vnet", each time terraform loops at creating two nics and network association (two other nics are created).
If I stop and retry running, it will continue deploying successfully.
AzureRM 2.92, Terraform 1.66.
UPD:
Terraform destroy also loops.

when finished the terraform execution, the gateway_password_hash seems cannot apply correctly and cannot login with the defined password