[RFE] set simple cluster / identity_awareness_settings block does not include Identity Web Api configuration #214
Description
Hi Team
I'm trying to setup a cluster with a rulebase that includes data center objects. This requires the gateway to have identity awareness enabled with Identity Web Api config applied. This can be configured via Web Api / Mgmt Cli but the Terraform resource does not cater for this.
I'm using the latest Check Point provider version (2.9.0)
Those are the fields missings:
For reference and if that helps someone:
At present I have to resort to using remote provisioner with mgmt cli commands
resource "local_file" "generate-cxl-enable_web-identity-api-script" {
depends_on = [checkpoint_management_publish.publish-clusterxl-create, checkpoint_management_publish.publish-cluster-security-policy]
content = templatefile("${path.module}/scripts/template_cxl-enable_web-identity-api.sh", {
cluster_name = "${checkpoint_management_simple_cluster.create_cluster_object.name}",
identityWebApi = "${checkpoint_management_host.identityWebApi.name}",
client-secret = "${local.infra_outputs.cpfwm_admin_password}",
package = "${checkpoint_management_package.ClusterXL-Policy.name}"
})
filename = "${path.module}/scripts/dynamic/cxl-enable_web-identity-api.sh.sh"
}
resource "null_resource" "update_cluster_webapi" {
depends_on = [checkpoint_management_publish.publish-clusterxl-create,
checkpoint_management_publish.publish-cluster-security-policy,
local_file.generate-cxl-enable_web-identity-api-script]
SSH connection details to Check Point management server
connection {
type = "ssh"
host = local.infra_outputs.cpfwm_public_ip
user = "admin"
private_key = file(local.infra_outputs.admin_ssh_key_location)
}
provisioner "remote-exec" {
script = local_file.generate-cxl-enable_web-identity-api-script.filename
}
triggers = { # Terraform only respects dependencies during initial creation. This will force keeping this updated if runs fails half through
always_run = timestamp()
}
}
#!/bin/bash
Function to execute a command and report status
run_command() {
local cmd="$1"
cmd=$(echo "$cmd" | sed -r "s/\s+/ /g")
#echo "Executing: $cmd"
output=$($cmd 2>&1)
local status=$?
if [ $status -eq 0 ]; then
echo "✅ SUCCESS: $cmd"
else
echo "❌ ERROR: \n"
echo "$output"
exit $status
fi
}
Login to Check Point Management API
mgmt_cli login -r true -f json > sid.json
SESSION_ID=$(cat sid.json | jq -r '.sid')
if [ "$SESSION_ID" == "null" ] || [ -z "$SESSION_ID" ]; then
echo "❌ ERROR: Failed to authenticate with Check Point Management API"
exit 1
fi
echo "✅ Logged in successfully. Session ID: $SESSION_ID"
Define the commands to execute
COMMANDS=(
"mgmt_cli -s sid.json set simple-cluster name ${cluster_name}
ignore-warnings true
identity-awareness-settings.identity-web-api true
identity-awareness-settings.identity-web-api-settings.authorized-clients.1.client ${identityWebApi}
identity-awareness-settings.identity-web-api-settings.authorized-clients.1.client-secret ${client-secret}
identity-awareness-settings.identity-web-api-settings.client-access-permissions.accessibility.allow-access-from all_interfaces
-f json"
"mgmt_cli -s sid.json publish -f json"
"mgmt_cli -s sid.json set package name ${package} installation-targets ${cluster_name}"
"mgmt_cli -s sid.json publish -f json"
)
Execute each command
for CMD in "$${COMMANDS[@]}"; do
echo "$CMD" >> /var/log/terraform.log
run_command "$CMD"
done
Logout from Check Point Management API
run_command "mgmt_cli -s sid.json logout"
echo "✅ All commands executed successfully."