Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

checkpoint_management_service_tcp - cannot delete object if part of a group #152

Open
pr0c4 opened this issue Jun 20, 2023 · 4 comments
Open

checkpoint_management_service_tcp - cannot delete object if part of a group #152

pr0c4 opened this issue Jun 20, 2023 · 4 comments
Labels
enhancement

Comments

@pr0c4
Copy link

pr0c4 commented Jun 20, 2023

Hello,

Seems ignore_warnings = true does not work for the resource checkpoint_management_service_tcp because I can't delete the object if part of the group, similar as issue 135 i believe.

resource "checkpoint_management_service_tcp" "tcp_service" {
  for_each                    = var.clients
  name                        = "tcp_${each.key}"
  port                        = "${each.value.remote_port}"
  session_timeout             = 3600
  match_for_any               = true
  sync_connections_on_cluster = true
  ignore_warnings             = true
  aggressive_aging = {
    enable = true
    timeout = 360
    use_default_timeout = false
  }
  keep_connections_open_after_policy_installation = true
    tags                                          = []  
  lifecycle {
    precondition {
      condition = (
      each.value["remote_port"] >= 1000 &&
      each.value["remote_port"] <= 65000
      )
    error_message = "Port number must be between 1000 and 65000"
    }
  } 
}

resource "checkpoint_management_service_group" "smpp_services" {
  name            = "smpp_services"
  ignore_warnings = true  
  members         = values(checkpoint_management_service_tcp.tcp_service)[*].name
  depends_on      = [ checkpoint_management_service_tcp.tcp_service ]
  lifecycle {
        replace_triggered_by = [ checkpoint_management_service_tcp.tcp_service ]
  }    
}

At apply the delete of the tcp_service instance happens before the update-in-place of smpp_services so the API gives this error:
│ Error: failed to execute API call
│ Status: 409 Conflict
│ Code: generic_err_object_deletion
│ Message: Object tcp_client_3 could not be deleted because it is referenced by other objects, run where-used command for details
@chkp-adambar
Copy link
Contributor

HI
@pr0c4
this the current behavior of a tcp_service. if we have a service that is part of a group it cannot be deleted even if where to choose ignore-warnings.
thanks

@pr0c4
Copy link
Author

pr0c4 commented Jun 21, 2023

ok, then is it possible to have the provide do the update-in-place of the group before doing the delete of the host ?

@chkp-adambar
Copy link
Contributor

Hi
at the moment it is not supported by the API and so not supported on the provider that reflects the API. you can open an RFE for Check-Point to include that capability in the API itself.
thanks

@pr0c4
Copy link
Author

pr0c4 commented Jun 27, 2023

Thanks, will contact my checkpoint support for the RFE.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pr0c4 @chkp-adambar