From 7631efb66d4f1036a0914bfffd0e8f7100c432de Mon Sep 17 00:00:00 2001 From: adambar Date: Wed, 28 Aug 2024 12:08:25 +0300 Subject: [PATCH 1/2] interface + override_categorization commit --- CHANGELOG.md | 4 + ..._source_checkpoint_management_interface.go | 658 ++++++++++ ...ce_checkpoint_management_interface_test.go | 81 ++ ...oint_management_override_categorization.go | 163 +++ ...management_override_categorization_test.go | 45 + checkpoint/provider.go | 4 + ...esource_checkpoint_management_interface.go | 1142 +++++++++++++++++ ...ce_checkpoint_management_interface_test.go | 138 ++ ...oint_management_override_categorization.go | 328 +++++ ...management_override_categorization_test.go | 110 ++ website/checkpoint.erb | 6 + ...ckpoint_management_interface.html.markdown | 119 ++ ...nagement_internal_trusted_ca.html.markdown | 3 +- ...ment_override_categorization.html.markdown | 39 + ...ckpoint_management_interface.html.markdown | 119 ++ ...ment_override_categorization.html.markdown | 37 + 16 files changed, 2994 insertions(+), 2 deletions(-) create mode 100644 checkpoint/data_source_checkpoint_management_interface.go create mode 100644 checkpoint/data_source_checkpoint_management_interface_test.go create mode 100644 checkpoint/data_source_checkpoint_management_override_categorization.go create mode 100644 checkpoint/data_source_checkpoint_management_override_categorization_test.go create mode 100644 checkpoint/resource_checkpoint_management_interface.go create mode 100644 checkpoint/resource_checkpoint_management_interface_test.go create mode 100644 checkpoint/resource_checkpoint_management_override_categorization.go create mode 100644 checkpoint/resource_checkpoint_management_override_categorization_test.go create mode 100644 website/docs/d/checkpoint_management_interface.html.markdown create mode 100644 website/docs/d/checkpoint_management_override_categorization.html.markdown create mode 100644 website/docs/r/checkpoint_management_interface.html.markdown create mode 100644 website/docs/r/checkpoint_management_override_categorization.html.markdown diff --git a/CHANGELOG.md b/CHANGELOG.md index b08b8b6d..b175b0dd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,8 @@ FEATURES +* **New Resource:** `checkpoint_management_override_categorization` +* **New Resource:** `checkpoint_management_interface` * **New Resource:** `checkpoint_management_resource_smtp` * **New Resource:** `checkpoint_management_resource_uri` * **New Resource:** `checkpoint_management_resource_ftp` @@ -24,6 +26,8 @@ FEATURES * **New Resource:** `checkpoint_management_data_type_group` * **New Resource:** `checkpoint_management_data_type_traditional_group` * **New Resource:** `checkpoint_management_data_type_compound_group` +* **New Data Source:** `checkpoint_management_override_categorization` +* **New Data Source:** `checkpoint_management_interface` * **New Data Source:** `checkpoint_management_resource_smtp` * **New Data Source:** `checkpoint_management_resource_uri` * **New Data Source:** `checkpoint_management_resource_ftp` diff --git a/checkpoint/data_source_checkpoint_management_interface.go b/checkpoint/data_source_checkpoint_management_interface.go new file mode 100644 index 00000000..4dc97b65 --- /dev/null +++ b/checkpoint/data_source_checkpoint_management_interface.go @@ -0,0 +1,658 @@ +package checkpoint + +import ( + "fmt" + checkpoint "github.com/CheckPointSW/cp-mgmt-api-go-sdk/APIFiles" + "github.com/hashicorp/terraform-plugin-sdk/helper/schema" + "log" +) + +func dataSourceManagementInterface() *schema.Resource { + return &schema.Resource{ + Read: dataSourceManagementInterfaceRead, + Schema: map[string]*schema.Schema{ + "name": { + Type: schema.TypeString, + Optional: true, + Description: "Network interface name.", + }, + "uid": { + Type: schema.TypeString, + Optional: true, + Description: "Object unique identifier.", + }, + "gateway_uid": { + Type: schema.TypeString, + Optional: true, + Description: "Gateway or cluster object uid that the interface belongs to. Required only if name was specified.", + }, + + "anti_spoofing": { + Type: schema.TypeBool, + Computed: true, + Description: "Enable anti-spoofing.", + }, + "anti_spoofing_settings": { + Type: schema.TypeList, + Computed: true, + Description: "Anti Spoofing Settings.", + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "action": { + Type: schema.TypeString, + Computed: true, + Description: "If packets will be rejected (the Prevent option) or whether the packets will be monitored (the Detect option).", + }, + "exclude_packets": { + Type: schema.TypeBool, + Computed: true, + Description: "Don't check packets from excluded network.", + }, + "excluded_network_name": { + Type: schema.TypeString, + Computed: true, + Description: "Excluded network name.", + }, + "excluded_network_uid": { + Type: schema.TypeString, + Computed: true, + Description: "Excluded network UID.", + }, + "spoof_tracking": { + Type: schema.TypeString, + Computed: true, + Description: "Spoof tracking.", + }, + }, + }, + }, + "cluster_members": { + Type: schema.TypeList, + Computed: true, + Description: "Network interface settings for cluster members.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "name": { + Type: schema.TypeString, + Computed: true, + Description: "Cluster member network interface name.", + }, + "member_uid": { + Type: schema.TypeString, + Computed: true, + Description: "Cluster member object uid.", + }, + "member_name": { + Type: schema.TypeString, + Computed: true, + Description: "Cluster member object name.", + }, + "ipv4_address": { + Type: schema.TypeString, + Computed: true, + Description: "IPv4 address.", + }, + "ipv6_address": { + Type: schema.TypeString, + Computed: true, + Description: "IPv6 address.", + }, + "network_mask": { + Type: schema.TypeString, + Computed: true, + Description: "IPv4 or IPv6 network mask. If both masks are required use ipv4-network-mask and ipv6-network-mask fields explicitly. Instead of providing mask itself it is possible to specify IPv4 or IPv6 mask length in mask-length field. If both masks length are required use ipv4-mask-length and ipv6-mask-length fields explicitly.", + }, + "ipv4_network_mask": { + Type: schema.TypeString, + Computed: true, + Description: "IPv4 network address.", + }, + "ipv6_network_mask": { + Type: schema.TypeString, + Computed: true, + Description: "IPv6 network address.", + }, + "ipv4_mask_length": { + Type: schema.TypeString, + Computed: true, + Description: "IPv4 network mask length.", + }, + "ipv6_mask_length": { + Type: schema.TypeString, + Computed: true, + Description: "IPv6 network mask length.", + }, + }, + }, + }, + "cluster_network_type": { + Type: schema.TypeString, + Computed: true, + Description: "Cluster interface type.", + }, + "dynamic_ip": { + Type: schema.TypeBool, + Computed: true, + Description: "Enable dynamic interface.", + }, + "ipv4_address": { + Type: schema.TypeString, + Computed: true, + Description: "IPv4 network address.", + }, + "ipv4_mask_length": { + Type: schema.TypeInt, + Computed: true, + Description: "IPv4 mask length.", + }, + "ipv4_network_mask": { + Type: schema.TypeString, + Computed: true, + Description: "IPv4 network mask.", + }, + "ipv6_address": { + Type: schema.TypeString, + Computed: true, + Description: "IPv6 address.", + }, + "ipv6_mask_length": { + Type: schema.TypeInt, + Computed: true, + Description: "IPv6 mask length.", + }, + "ipv6_network_mask": { + Type: schema.TypeString, + Computed: true, + Description: "IPv6 network mask.", + }, + "monitored_by_cluster": { + Type: schema.TypeBool, + Computed: true, + Description: "When Private is selected as the Cluster interface type, cluster can monitor or not monitor the interface.", + }, + "network_interface_type": { + Type: schema.TypeString, + Computed: true, + Description: "Network Interface Type.", + }, + "security_zone_settings": { + Type: schema.TypeList, + Computed: true, + Description: "Security Zone Settings.", + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "auto_calculated": { + Type: schema.TypeBool, + Computed: true, + Description: "Security Zone is calculated according to where the interface leads to.", + }, + "specific_zone": { + Type: schema.TypeString, + Computed: true, + Description: "Security Zone specified manually.", + }, + "specific_zone_uid": { + Type: schema.TypeString, + Computed: true, + Description: "Security Zone specified manually.", + }, + "auto_calculated_zone": { + Type: schema.TypeString, + Computed: true, + Description: "N/A", + }, + "auto_calculated_zone_uid": { + Type: schema.TypeString, + Computed: true, + Description: "N/A", + }, + "specific_security_zone_enabled": { + Type: schema.TypeBool, + Computed: true, + Description: "N/A", + }, + }, + }, + }, + "tags": { + Type: schema.TypeSet, + Computed: true, + Description: "Collection of tag identifiers.", + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "topology": { + Type: schema.TypeString, + Computed: true, + Description: "Topology configuration.", + }, + "topology_automatic": { + Type: schema.TypeString, + Computed: true, + Description: "Topology configuration automatically calculated by get-interfaces command.", + }, + "topology_manual": { + Type: schema.TypeString, + Computed: true, + Description: "Topology configuration manually defined.", + }, + "topology_settings": { + Type: schema.TypeList, + Computed: true, + Description: "Topology Settings.", + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "interface_leads_to_dmz": { + Type: schema.TypeBool, + Computed: true, + Description: "Whether this interface leads to demilitarized zone (perimeter network).", + }, + "ip_address_behind_this_interface": { + Type: schema.TypeString, + Computed: true, + Description: "Network Settings behind this interface.", + }, + "specific_network": { + Type: schema.TypeString, + Computed: true, + Description: "Network behind this interface.", + }, + "specific_network_uid": { + Type: schema.TypeString, + Computed: true, + Description: "N/A", + }, + }, + }, + }, + "topology_settings_automatic": { + Type: schema.TypeList, + Computed: true, + Description: "Topology Settings.", + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "interface_leads_to_dmz": { + Type: schema.TypeBool, + Computed: true, + Description: "Whether this interface leads to demilitarized zone (perimeter network).", + }, + "ip_address_behind_this_interface": { + Type: schema.TypeString, + Computed: true, + Description: "Network Settings behind this interface.", + }, + "specific_network": { + Type: schema.TypeString, + Computed: true, + Description: "Network behind this interface.", + }, + "specific_network_uid": { + Type: schema.TypeString, + Computed: true, + Description: "N/A", + }, + }, + }, + }, + "topology_settings_manual": { + Type: schema.TypeList, + Computed: true, + Description: "Topology Settings.", + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "interface_leads_to_dmz": { + Type: schema.TypeBool, + Computed: true, + Description: "Whether this interface leads to demilitarized zone (perimeter network).", + }, + "ip_address_behind_this_interface": { + Type: schema.TypeString, + Computed: true, + Description: "Network Settings behind this interface.", + }, + "specific_network": { + Type: schema.TypeString, + Computed: true, + Description: "Network behind this interface.", + }, + "specific_network_uid": { + Type: schema.TypeString, + Computed: true, + Description: "N/A", + }, + }, + }, + }, + "color": { + Type: schema.TypeString, + Optional: true, + Description: "Color of the object. Should be one of existing colors.", + Default: "black", + }, + "comments": { + Type: schema.TypeString, + Optional: true, + Description: "Comments string.", + }, + }, + } +} + +func dataSourceManagementInterfaceRead(d *schema.ResourceData, m interface{}) error { + + client := m.(*checkpoint.ApiClient) + + name := d.Get("name").(string) + uid := d.Get("uid").(string) + + payload := make(map[string]interface{}) + + if name != "" { + payload["name"] = name + } else if uid != "" { + payload["uid"] = uid + } + if v, ok := d.GetOk("gateway_uid"); ok { + payload["gateway-uid"] = v + } + showInterfaceRes, err := client.ApiCall("show-interface", payload, client.GetSessionID(), true, false) + if err != nil { + return fmt.Errorf(err.Error()) + } + if !showInterfaceRes.Success { + if objectNotFound(showInterfaceRes.GetData()["code"].(string)) { + d.SetId("") + return nil + } + return fmt.Errorf(showInterfaceRes.ErrorMsg) + } + + interfaceMap := showInterfaceRes.GetData() + + log.Println("Read Interface - Show JSON = ", interfaceMap) + + if v := interfaceMap["uid"]; v != nil { + _ = d.Set("uid", v) + d.SetId(v.(string)) + } + + if v := interfaceMap["name"]; v != nil { + _ = d.Set("name", v) + } + + if v := interfaceMap["gateway"]; v != nil { + + gwObj := v.(map[string]interface{}) + if v := gwObj["uid"]; v != nil { + _ = d.Set("gateway_uid", v) + } + + } + + if v := interfaceMap["anti-spoofing"]; v != nil { + _ = d.Set("anti_spoofing", v) + } + + if interfaceMap["anti-spoofing-settings"] != nil { + + antiSpoofingSettingsMap := interfaceMap["anti-spoofing-settings"].(map[string]interface{}) + + antiSpoofingSettingsMapToReturn := make(map[string]interface{}) + + if v, _ := antiSpoofingSettingsMap["action"]; v != nil { + antiSpoofingSettingsMapToReturn["action"] = v + } + if v, _ := antiSpoofingSettingsMap["exclude-packets"]; v != nil { + antiSpoofingSettingsMapToReturn["exclude_packets"] = v + } + if v, _ := antiSpoofingSettingsMap["excluded-network-name"]; v != nil { + antiSpoofingSettingsMapToReturn["excluded_network_name"] = v + } + if v, _ := antiSpoofingSettingsMap["excluded-network-uid"]; v != nil { + antiSpoofingSettingsMapToReturn["excluded_network_uid"] = v + } + if v, _ := antiSpoofingSettingsMap["spoof-tracking"]; v != nil { + antiSpoofingSettingsMapToReturn["spoof_tracking"] = v + } + _ = d.Set("anti_spoofing_settings", []interface{}{antiSpoofingSettingsMapToReturn}) + } else { + _ = d.Set("anti_spoofing_settings", nil) + } + + if interfaceMap["cluster-members"] != nil { + + clusterMembersList, ok := interfaceMap["cluster-members"].([]interface{}) + + if ok { + + if len(clusterMembersList) > 0 { + + var clusterMembersListToReturn []map[string]interface{} + + for i := range clusterMembersList { + + clusterMembersMap := clusterMembersList[i].(map[string]interface{}) + + clusterMembersMapToAdd := make(map[string]interface{}) + + if v, _ := clusterMembersMap["name"]; v != nil { + clusterMembersMapToAdd["name"] = v + } + if v, _ := clusterMembersMap["member-uid"]; v != nil { + clusterMembersMapToAdd["member_uid"] = v + } + if v, _ := clusterMembersMap["member-name"]; v != nil { + clusterMembersMapToAdd["member_name"] = v + } + if v, _ := clusterMembersMap["ipv4-address"]; v != nil { + clusterMembersMapToAdd["ipv4_address"] = v + } + if v, _ := clusterMembersMap["ipv6-address"]; v != nil { + clusterMembersMapToAdd["ipv6_address"] = v + } + if v, _ := clusterMembersMap["network-mask"]; v != nil { + clusterMembersMapToAdd["network_mask"] = v + } + if v, _ := clusterMembersMap["ipv4-network-mask"]; v != nil { + clusterMembersMapToAdd["ipv4_network_mask"] = v + } + if v, _ := clusterMembersMap["ipv6-network-mask"]; v != nil { + clusterMembersMapToAdd["ipv6_network_mask"] = v + } + if v, _ := clusterMembersMap["ipv4-mask-length"]; v != nil { + clusterMembersMapToAdd["ipv4_mask_length"] = v + } + if v, _ := clusterMembersMap["ipv6-mask-length"]; v != nil { + clusterMembersMapToAdd["ipv6_mask_length"] = v + } + clusterMembersListToReturn = append(clusterMembersListToReturn, clusterMembersMapToAdd) + } + } + } + } + + if v := interfaceMap["cluster-network-type"]; v != nil { + _ = d.Set("cluster_network_type", v) + } + + if v := interfaceMap["ipv4-address"]; v != nil { + _ = d.Set("ipv4_address", v) + } + + if v := interfaceMap["ipv4-mask-length"]; v != nil { + _ = d.Set("ipv4_mask_length", v) + } + + if v := interfaceMap["ipv4-network-mask"]; v != nil { + _ = d.Set("ipv4_network_mask", v) + } + + if v := interfaceMap["ipv6-address"]; v != nil { + _ = d.Set("ipv6_address", v) + } + + if v := interfaceMap["ipv6-mask-length"]; v != nil { + _ = d.Set("ipv6_mask_length", v) + } + + if v := interfaceMap["ipv6-network-mask"]; v != nil { + _ = d.Set("ipv6_network_mask", v) + } + + if v := interfaceMap["monitored-by-cluster"]; v != nil { + _ = d.Set("monitored_by_cluster", v) + } + + if v := interfaceMap["network-interface-type"]; v != nil { + _ = d.Set("network_interface_type", v) + } + + if interfaceMap["security-zone-settings"] != nil { + + securityZoneSettingsMap := interfaceMap["security-zone-settings"].(map[string]interface{}) + + securityZoneSettingsMapToReturn := make(map[string]interface{}) + + if v, _ := securityZoneSettingsMap["auto-calculated"]; v != nil { + securityZoneSettingsMapToReturn["auto_calculated"] = v + } + if v, _ := securityZoneSettingsMap["specific-zone"]; v != nil { + securityZoneSettingsMapToReturn["specific_zone"] = v + } + if v, _ := securityZoneSettingsMap["specific-zone-uid"]; v != nil { + securityZoneSettingsMapToReturn["specific_zone_uid"] = v + } + if v, _ := securityZoneSettingsMap["auto-calculated-zone"]; v != nil { + securityZoneSettingsMapToReturn["auto_calculated_zone"] = v + } + if v, _ := securityZoneSettingsMap["auto-calculated-zone-uid"]; v != nil { + securityZoneSettingsMapToReturn["auto_calculated_zone_uid"] = v + } + if v, _ := securityZoneSettingsMap["specific-security-zone-enabled"]; v != nil { + securityZoneSettingsMapToReturn["specific_security_zone_enabled"] = v + } + _ = d.Set("security_zone_settings", []interface{}{securityZoneSettingsMapToReturn}) + } else { + _ = d.Set("security_zone_settings", nil) + } + + if interfaceMap["tags"] != nil { + tagsJson, ok := interfaceMap["tags"].([]interface{}) + if ok { + tagsIds := make([]string, 0) + if len(tagsJson) > 0 { + for _, tags := range tagsJson { + tags := tags.(map[string]interface{}) + tagsIds = append(tagsIds, tags["name"].(string)) + } + } + _ = d.Set("tags", tagsIds) + } + } else { + _ = d.Set("tags", nil) + } + + if v := interfaceMap["topology"]; v != nil { + _ = d.Set("topology", v) + } + if v := interfaceMap["topology-automatic"]; v != nil { + _ = d.Set("topology_automatic", v) + } + if v := interfaceMap["topology-settings"]; v != nil { + _ = d.Set("topology_settings", v) + } + + if interfaceMap["topology-settings"] != nil { + + topologySettingsMap := interfaceMap["topology-settings"].(map[string]interface{}) + + topologySettingsMapToReturn := make(map[string]interface{}) + + if v, _ := topologySettingsMap["interface-leads-to-dmz"]; v != nil { + topologySettingsMapToReturn["interface_leads_to_dmz"] = v + } + if v, _ := topologySettingsMap["ip-address-behind-this-interface"]; v != nil { + topologySettingsMapToReturn["ip_address_behind_this_interface"] = v + } + if v, _ := topologySettingsMap["specific-network"]; v != nil { + topologySettingsMapToReturn["specific_network"] = v + } + if v, _ := topologySettingsMap["specific-network-uid"]; v != nil { + topologySettingsMapToReturn["specific_network_uid"] = v + } + _ = d.Set("topology_settings", []interface{}{topologySettingsMapToReturn}) + } else { + _ = d.Set("topology_settings", nil) + } + + if interfaceMap["topology-settings-automatic"] != nil { + + topologySettingsMap := interfaceMap["topology-settings-automatic"].(map[string]interface{}) + + topologySettingsMapToReturn := make(map[string]interface{}) + + if v, _ := topologySettingsMap["interface-leads-to-dmz"]; v != nil { + topologySettingsMapToReturn["interface_leads_to_dmz"] = v + } + if v, _ := topologySettingsMap["ip-address-behind-this-interface"]; v != nil { + topologySettingsMapToReturn["ip_address_behind_this_interface"] = v + } + if v, _ := topologySettingsMap["specific-network"]; v != nil { + topologySettingsMapToReturn["specific_network"] = v + } + if v, _ := topologySettingsMap["specific-network-uid"]; v != nil { + topologySettingsMapToReturn["specific_network_uid"] = v + } + _ = d.Set("topology_settings_automatic", []interface{}{topologySettingsMapToReturn}) + } else { + _ = d.Set("topology_settings_automatic", nil) + } + + if interfaceMap["topology-settings-manual"] != nil { + + topologySettingsMap := interfaceMap["topology-settings-manual"].(map[string]interface{}) + + topologySettingsMapToReturn := make(map[string]interface{}) + + if v, _ := topologySettingsMap["interface-leads-to-dmz"]; v != nil { + topologySettingsMapToReturn["interface_leads_to_dmz"] = v + } + if v, _ := topologySettingsMap["ip-address-behind-this-interface"]; v != nil { + topologySettingsMapToReturn["ip_address_behind_this_interface"] = v + } + if v, _ := topologySettingsMap["specific-network"]; v != nil { + topologySettingsMapToReturn["specific_network"] = v + } + if v, _ := topologySettingsMap["specific-network-uid"]; v != nil { + topologySettingsMapToReturn["specific_network_uid"] = v + } + _ = d.Set("topology_settings_manual", []interface{}{topologySettingsMapToReturn}) + } else { + _ = d.Set("topology_settings_manual", nil) + } + + if v := interfaceMap["color"]; v != nil { + _ = d.Set("color", v) + } + + if v := interfaceMap["comments"]; v != nil { + _ = d.Set("comments", v) + } + + if v := interfaceMap["ignore-warnings"]; v != nil { + _ = d.Set("ignore_warnings", v) + } + + if v := interfaceMap["ignore-errors"]; v != nil { + _ = d.Set("ignore_errors", v) + } + + return nil + +} diff --git a/checkpoint/data_source_checkpoint_management_interface_test.go b/checkpoint/data_source_checkpoint_management_interface_test.go new file mode 100644 index 00000000..96b06ee7 --- /dev/null +++ b/checkpoint/data_source_checkpoint_management_interface_test.go @@ -0,0 +1,81 @@ +package checkpoint + +import ( + "fmt" + "github.com/hashicorp/terraform-plugin-sdk/helper/acctest" + "github.com/hashicorp/terraform-plugin-sdk/helper/resource" + "os" + "testing" +) + +func TestAccDataSourceCheckpointManagementInterface_basic(t *testing.T) { + + objName := "tfTestManagementDataInteroperableDevice_" + acctest.RandString(6) + resourceName := "checkpoint_management_interface.test" + dataSourceName := "data.checkpoint_management_interface.data" + + context := os.Getenv("CHECKPOINT_CONTEXT") + if context != "web_api" { + t.Skip("Skipping management test") + } + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + Steps: []resource.TestStep{ + { + Config: testAccDataSourceManagementInterfaceConfig(objName), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttrPair(dataSourceName, "name", resourceName, "name"), + ), + }, + }, + }) + +} + +func testAccDataSourceManagementInterfaceConfig(name string) string { + return fmt.Sprintf(` +resource "checkpoint_management_simple_gateway" "fw" { + name = "gw3" + ipv4_address = "192.0.2.1" +} + + +resource "checkpoint_management_interface" "test" { + name = "%s" + gateway_uid = "${checkpoint_management_simple_gateway.fw.id}" + ipv4_address = "1.1.1.114" + ipv4_mask_length = 24 + anti_spoofing_settings { + action = "detect" + exclude_packets = false + spoof_tracking = "log" + + } + + security_zone_settings { + auto_calculated = false + specific_zone = "InternalZone" + + } + topology_settings { + interface_leads_to_dmz = false + ip_address_behind_this_interface = "network defined by routing" + + } + topology = "internal" + network_interface_type = "ethernet" + cluster_members { + name = "eth4" + member_name = "member1" + ipv4_address = "192.168.1.2" + } + +} +data "checkpoint_management_interface" "data" { + name = "${checkpoint_management_interface.test.name}" + gateway_uid = "${checkpoint_management_interface.test.gateway_uid}" +} +`, name) +} diff --git a/checkpoint/data_source_checkpoint_management_override_categorization.go b/checkpoint/data_source_checkpoint_management_override_categorization.go new file mode 100644 index 00000000..48e0859a --- /dev/null +++ b/checkpoint/data_source_checkpoint_management_override_categorization.go @@ -0,0 +1,163 @@ +package checkpoint + +import ( + "fmt" + checkpoint "github.com/CheckPointSW/cp-mgmt-api-go-sdk/APIFiles" + "github.com/hashicorp/terraform-plugin-sdk/helper/schema" + "log" +) + +func dataSourceManagementOverrideCategorization() *schema.Resource { + return &schema.Resource{ + + Read: dataSourceManagementOverrideCategorizationRead, + + Schema: map[string]*schema.Schema{ + "url": { + Type: schema.TypeString, + Optional: true, + Description: "The URL for which we want to update the category and risk definitions, the URL and the object name are the same for Override Categorization.", + }, + "uid": { + Type: schema.TypeString, + Optional: true, + Description: "Object unique identifier.", + }, + "url_defined_as_regular_expression": { + Type: schema.TypeBool, + Computed: true, + Description: "States whether the URL is defined as a Regular Expression or not.", + }, + "new_primary_category": { + Type: schema.TypeString, + Computed: true, + Description: "Uid or name of the primary category based on its most defining aspect.", + }, + "tags": { + Type: schema.TypeSet, + Computed: true, + Description: "Collection of tag identifiers.", + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "risk": { + Type: schema.TypeString, + Computed: true, + Description: "States the override categorization risk.", + }, + "additional_categories": { + Type: schema.TypeSet, + Computed: true, + Description: "Uid or name of the categories to override in the Application and URL Filtering or Threat Prevention.", + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "color": { + Type: schema.TypeString, + Computed: true, + Description: "Color of the object. Should be one of existing colors.", + }, + "comments": { + Type: schema.TypeString, + Computed: true, + Description: "Comments string.", + }, + }, + } +} +func dataSourceManagementOverrideCategorizationRead(d *schema.ResourceData, m interface{}) error { + + client := m.(*checkpoint.ApiClient) + + payload := map[string]interface{}{} + + if v, ok := d.GetOk("url"); ok { + payload["url"] = v + } else { + payload["uid"] = d.Get("uid") + } + + showOverrideCategorizationRes, err := client.ApiCall("show-override-categorization", payload, client.GetSessionID(), true, false) + if err != nil { + return fmt.Errorf(err.Error()) + } + if !showOverrideCategorizationRes.Success { + if objectNotFound(showOverrideCategorizationRes.GetData()["code"].(string)) { + d.SetId("") + return nil + } + return fmt.Errorf(showOverrideCategorizationRes.ErrorMsg) + } + + overrideCategorization := showOverrideCategorizationRes.GetData() + + log.Println("Read OverrideCategorization - Show JSON = ", overrideCategorization) + + if v := overrideCategorization["uid"]; v != nil { + _ = d.Set("uid", v) + d.SetId(v.(string)) + } + if v := overrideCategorization["url"]; v != nil { + _ = d.Set("url", v) + } + + if v := overrideCategorization["url-defined-as-regular-expression"]; v != nil { + _ = d.Set("url_defined_as_regular_expression", v) + } + + if v := overrideCategorization["new-primary-category"]; v != nil { + objMap := v.(map[string]interface{}) + if v := objMap["name"]; v != nil { + _ = d.Set("new_primary_category", v) + } + } + + if overrideCategorization["tags"] != nil { + tagsJson, ok := overrideCategorization["tags"].([]interface{}) + if ok { + tagsIds := make([]string, 0) + if len(tagsJson) > 0 { + for _, tags := range tagsJson { + tags := tags.(map[string]interface{}) + tagsIds = append(tagsIds, tags["name"].(string)) + } + } + _ = d.Set("tags", tagsIds) + } + } else { + _ = d.Set("tags", nil) + } + + if v := overrideCategorization["risk"]; v != nil { + _ = d.Set("risk", v) + } + + if overrideCategorization["additional_categories"] != nil { + additionalCategoriesJson, ok := overrideCategorization["additional_categories"].([]interface{}) + if ok { + additionalCategoriesIds := make([]string, 0) + if len(additionalCategoriesJson) > 0 { + for _, additional_categories := range additionalCategoriesJson { + additional_categories := additional_categories.(map[string]interface{}) + additionalCategoriesIds = append(additionalCategoriesIds, additional_categories["name"].(string)) + } + } + _ = d.Set("additional_categories", additionalCategoriesIds) + } + } else { + _ = d.Set("additional_categories", nil) + } + + if v := overrideCategorization["color"]; v != nil { + _ = d.Set("color", v) + } + + if v := overrideCategorization["comments"]; v != nil { + _ = d.Set("comments", v) + } + + return nil + +} diff --git a/checkpoint/data_source_checkpoint_management_override_categorization_test.go b/checkpoint/data_source_checkpoint_management_override_categorization_test.go new file mode 100644 index 00000000..c85a6873 --- /dev/null +++ b/checkpoint/data_source_checkpoint_management_override_categorization_test.go @@ -0,0 +1,45 @@ +package checkpoint + +import ( + "fmt" + "github.com/hashicorp/terraform-plugin-sdk/helper/resource" + "os" + "testing" +) + +func TestAccDataSourceCheckpointManagementOverrideCategorization_basic(t *testing.T) { + + //resourceName := "checkpoint_management_override_categorization.test" + context := os.Getenv("CHECKPOINT_CONTEXT") + if context != "web_api" { + t.Skip("Skipping management test") + } else if context == "" { + t.Skip("Env CHECKPOINT_CONTEXT must be specified to run this acc test") + } + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckpointManagementOverrideCategorizationDestroy, + Steps: []resource.TestStep{ + { + Config: testAccDataSourceManagementOverrideCategorizationConfig("ramdomUrl", "Botnets", "low"), + Check: resource.ComposeTestCheckFunc(), + }, + }, + }) +} + +func testAccDataSourceManagementOverrideCategorizationConfig(url string, newPrimaryCategory string, risk string) string { + return fmt.Sprintf(` +resource "checkpoint_management_override_categorization" "test" { + url = "%s" + new_primary_category = "%s" + risk = "%s" +} + +data "checkpoint_management_override_categorization" "data" { + url = "${checkpoint_management_override_categorization.test.url}" +} +`, url, newPrimaryCategory, risk) +} diff --git a/checkpoint/provider.go b/checkpoint/provider.go index 134fd19e..c68b0326 100644 --- a/checkpoint/provider.go +++ b/checkpoint/provider.go @@ -111,6 +111,8 @@ func Provider() terraform.ResourceProvider { }, }, ResourcesMap: map[string]*schema.Resource{ + "checkpoint_management_override_categorization": resourceManagementOverrideCategorization(), + "checkpoint_management_interface": resourceManagementInterface(), "checkpoint_management_resource_cifs": resourceManagementResourceCifs(), "checkpoint_management_resource_ftp": resourceManagementResourceFtp(), "checkpoint_management_resource_smtp": resourceManagementResourceSmtp(), @@ -314,6 +316,8 @@ func Provider() terraform.ResourceProvider { "checkpoint_management_cme_gw_configurations_gcp": resourceManagementCMEGWConfigurationsGCP(), }, DataSourcesMap: map[string]*schema.Resource{ + "checkpoint_management_override_categorization": dataSourceManagementOverrideCategorization(), + "checkpoint_management_interface": dataSourceManagementInterface(), "checkpoint_management_resource_cifs": dataSourceManagementResourceCifs(), "checkpoint_management_resource_ftp": dataSourceManagementResourceFtp(), "checkpoint_management_resource_smtp": dataSourceManagementResourceSmtp(), diff --git a/checkpoint/resource_checkpoint_management_interface.go b/checkpoint/resource_checkpoint_management_interface.go new file mode 100644 index 00000000..e69f1cdf --- /dev/null +++ b/checkpoint/resource_checkpoint_management_interface.go @@ -0,0 +1,1142 @@ +package checkpoint + +import ( + "fmt" + checkpoint "github.com/CheckPointSW/cp-mgmt-api-go-sdk/APIFiles" + "github.com/hashicorp/terraform-plugin-sdk/helper/schema" + "log" + "strconv" +) + +func resourceManagementInterface() *schema.Resource { + return &schema.Resource{ + Create: createManagementInterface, + Read: readManagementInterface, + Update: updateManagementInterface, + Delete: deleteManagementInterface, + Schema: map[string]*schema.Schema{ + "name": { + Type: schema.TypeString, + Required: true, + Description: "Network interface name.", + }, + "gateway_uid": { + Type: schema.TypeString, + Required: true, + Description: "Gateway or cluster object uid that the interface belongs to. Required only if name was specified.", + }, + + "anti_spoofing": { + Type: schema.TypeBool, + Optional: true, + Description: "Enable anti-spoofing.", + Default: false, + }, + "anti_spoofing_settings": { + Type: schema.TypeList, + Optional: true, + Description: "Anti Spoofing Settings.", + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "action": { + Type: schema.TypeString, + Optional: true, + Description: "If packets will be rejected (the Prevent option) or whether the packets will be monitored (the Detect option).", + Default: "prevent", + }, + "exclude_packets": { + Type: schema.TypeBool, + Optional: true, + Description: "Don't check packets from excluded network.", + }, + "excluded_network_name": { + Type: schema.TypeString, + Optional: true, + Description: "Excluded network name.", + }, + "excluded_network_uid": { + Type: schema.TypeString, + Optional: true, + Description: "Excluded network UID.", + }, + "spoof_tracking": { + Type: schema.TypeString, + Optional: true, + Description: "Spoof tracking.", + Default: "log", + }, + }, + }, + }, + "cluster_members": { + Type: schema.TypeList, + Optional: true, + Description: "Network interface settings for cluster members.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "name": { + Type: schema.TypeString, + Required: true, + Description: "Cluster member network interface name.", + }, + "member_uid": { + Type: schema.TypeString, + Optional: true, + Description: "Cluster member object uid.", + }, + "member_name": { + Type: schema.TypeString, + Optional: true, + Description: "Cluster member object name.", + }, + "ipv4_address": { + Type: schema.TypeString, + Optional: true, + Description: "IPv4 address.", + }, + "ipv6_address": { + Type: schema.TypeString, + Optional: true, + Description: "IPv6 address.", + }, + "network_mask": { + Type: schema.TypeString, + Optional: true, + Description: "IPv4 or IPv6 network mask. If both masks are required use ipv4-network-mask and ipv6-network-mask fields explicitly. Instead of providing mask itself it is possible to specify IPv4 or IPv6 mask length in mask-length field. If both masks length are required use ipv4-mask-length and ipv6-mask-length fields explicitly.", + }, + "ipv4_network_mask": { + Type: schema.TypeString, + Optional: true, + Description: "IPv4 network address.", + }, + "ipv6_network_mask": { + Type: schema.TypeString, + Optional: true, + Description: "IPv6 network address.", + }, + "ipv4_mask_length": { + Type: schema.TypeString, + Optional: true, + Description: "IPv4 network mask length.", + }, + "ipv6_mask_length": { + Type: schema.TypeString, + Optional: true, + Description: "IPv6 network mask length.", + }, + "tags": { + Type: schema.TypeSet, + Optional: true, + Description: "Collection of tag identifiers.", + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "color": { + Type: schema.TypeString, + Optional: true, + Description: "Color of the object. Should be one of existing colors.", + Default: "black", + }, + "comments": { + Type: schema.TypeString, + Optional: true, + Description: "Comments string.", + }, + }, + }, + }, + "cluster_network_type": { + Type: schema.TypeString, + Optional: true, + Description: "Cluster interface type.", + }, + "dynamic_ip": { + Type: schema.TypeBool, + Optional: true, + Description: "Enable dynamic interface.", + }, + "ipv4_address": { + Type: schema.TypeString, + Optional: true, + Description: "IPv4 network address.", + }, + "ipv4_mask_length": { + Type: schema.TypeInt, + Optional: true, + Description: "IPv4 mask length.", + }, + "ipv4_network_mask": { + Type: schema.TypeString, + Optional: true, + Description: "IPv4 network mask.", + }, + "ipv6_address": { + Type: schema.TypeString, + Optional: true, + Description: "IPv6 address.", + }, + "ipv6_mask_length": { + Type: schema.TypeInt, + Optional: true, + Description: "IPv6 mask length.", + }, + "ipv6_network_mask": { + Type: schema.TypeString, + Optional: true, + Description: "IPv6 network mask.", + }, + "monitored_by_cluster": { + Type: schema.TypeBool, + Optional: true, + Description: "When Private is selected as the Cluster interface type, cluster can monitor or not monitor the interface.", + Default: false, + }, + "network_interface_type": { + Type: schema.TypeString, + Optional: true, + Description: "Network Interface Type.", + }, + "security_zone_settings": { + Type: schema.TypeList, + Optional: true, + Description: "Security Zone Settings.", + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "auto_calculated": { + Type: schema.TypeBool, + Optional: true, + Description: "Security Zone is calculated according to where the interface leads to.", + }, + "specific_zone": { + Type: schema.TypeString, + Optional: true, + Description: "Security Zone specified manually.", + }, + "specific_zone_uid": { + Type: schema.TypeString, + Computed: true, + Description: "Security Zone specified manually.", + }, + "auto_calculated_zone": { + Type: schema.TypeString, + Computed: true, + Description: "N/A", + }, + "auto_calculated_zone_uid": { + Type: schema.TypeString, + Computed: true, + Description: "N/A", + }, + "specific_security_zone_enabled": { + Type: schema.TypeBool, + Computed: true, + Description: "N/A", + }, + }, + }, + }, + "tags": { + Type: schema.TypeSet, + Optional: true, + Description: "Collection of tag identifiers.", + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "topology": { + Type: schema.TypeString, + Optional: true, + Description: "Topology configuration.", + }, + "topology_automatic": { + Type: schema.TypeString, + Computed: true, + Description: "Topology configuration automatically calculated by get-interfaces command.", + }, + "topology_manual": { + Type: schema.TypeString, + Computed: true, + Description: "Topology configuration manually defined.", + }, + "topology_settings": { + Type: schema.TypeList, + Optional: true, + Description: "Topology Settings.", + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "interface_leads_to_dmz": { + Type: schema.TypeBool, + Optional: true, + Description: "Whether this interface leads to demilitarized zone (perimeter network).", + }, + "ip_address_behind_this_interface": { + Type: schema.TypeString, + Optional: true, + Description: "Network Settings behind this interface.", + Default: "not defined", + }, + "specific_network": { + Type: schema.TypeString, + Optional: true, + Description: "Network behind this interface.", + }, + "specific_network_uid": { + Type: schema.TypeString, + Optional: true, + Description: "N/A", + }, + }, + }, + }, + "topology_settings_automatic": { + Type: schema.TypeList, + Computed: true, + Description: "Topology Settings.", + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "interface_leads_to_dmz": { + Type: schema.TypeBool, + Computed: true, + Description: "Whether this interface leads to demilitarized zone (perimeter network).", + }, + "ip_address_behind_this_interface": { + Type: schema.TypeString, + Computed: true, + Description: "Network Settings behind this interface.", + }, + "specific_network": { + Type: schema.TypeString, + Computed: true, + Description: "Network behind this interface.", + }, + "specific_network_uid": { + Type: schema.TypeString, + Computed: true, + Description: "N/A", + }, + }, + }, + }, + "topology_settings_manual": { + Type: schema.TypeList, + Computed: true, + Description: "Topology Settings.", + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "interface_leads_to_dmz": { + Type: schema.TypeBool, + Computed: true, + Description: "Whether this interface leads to demilitarized zone (perimeter network).", + }, + "ip_address_behind_this_interface": { + Type: schema.TypeString, + Computed: true, + Description: "Network Settings behind this interface.", + }, + "specific_network": { + Type: schema.TypeString, + Computed: true, + Description: "Network behind this interface.", + }, + "specific_network_uid": { + Type: schema.TypeString, + Computed: true, + Description: "N/A", + }, + }, + }, + }, + "color": { + Type: schema.TypeString, + Optional: true, + Description: "Color of the object. Should be one of existing colors.", + Default: "black", + }, + "comments": { + Type: schema.TypeString, + Optional: true, + Description: "Comments string.", + }, + "ignore_warnings": { + Type: schema.TypeBool, + Optional: true, + Description: "Apply changes ignoring warnings.", + Default: false, + }, + "ignore_errors": { + Type: schema.TypeBool, + Optional: true, + Description: "Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.", + Default: false, + }, + }, + } +} + +func createManagementInterface(d *schema.ResourceData, m interface{}) error { + + client := m.(*checkpoint.ApiClient) + + interfaceMap := make(map[string]interface{}) + + if v, ok := d.GetOk("name"); ok { + interfaceMap["name"] = v.(string) + } + + if v, ok := d.GetOk("gateway_uid"); ok { + interfaceMap["gateway-uid"] = v.(string) + } + + if v, ok := d.GetOkExists("anti_spoofing"); ok { + interfaceMap["anti-spoofing"] = v.(bool) + } + + if _, ok := d.GetOk("anti_spoofing_settings"); ok { + + res := make(map[string]interface{}) + + if v, ok := d.GetOk("anti_spoofing_settings.0.action"); ok { + res["action"] = v + } + if v, ok := d.GetOk("anti_spoofing_settings.0.exclude_packets"); ok { + res["exclude-packets"] = v + } + if v, ok := d.GetOk("anti_spoofing_settings.0.excluded_network_name"); ok { + res["excluded-network-name"] = v + } + if v, ok := d.GetOk("anti_spoofing_settings.0.excluded_network_uid"); ok { + res["excluded-network-uid"] = v + } + if v, ok := d.GetOk("anti_spoofing_settings.0.spoof_tracking"); ok { + res["spoof-tracking"] = v + } + interfaceMap["anti-spoofing-settings"] = res + } + + if v, ok := d.GetOk("cluster_members"); ok { + + clusterMembersList := v.([]interface{}) + + if len(clusterMembersList) > 0 { + + var clusterMembersPayload []map[string]interface{} + + for i := range clusterMembersList { + + Payload := make(map[string]interface{}) + + if v, ok := d.GetOk("cluster_members." + strconv.Itoa(i) + ".name"); ok { + Payload["name"] = v.(string) + } + if v, ok := d.GetOk("cluster_members." + strconv.Itoa(i) + ".member_uid"); ok { + Payload["member-uid"] = v.(string) + } + if v, ok := d.GetOk("cluster_members." + strconv.Itoa(i) + ".member_name"); ok { + Payload["member-name"] = v.(string) + } + if v, ok := d.GetOk("cluster_members." + strconv.Itoa(i) + ".ipv4_address"); ok { + Payload["ipv4-address"] = v.(string) + } + if v, ok := d.GetOk("cluster_members." + strconv.Itoa(i) + ".ipv6_address"); ok { + Payload["ipv6-address"] = v.(string) + } + if v, ok := d.GetOk("cluster_members." + strconv.Itoa(i) + ".network_mask"); ok { + Payload["network-mask"] = v.(string) + } + if v, ok := d.GetOk("cluster_members." + strconv.Itoa(i) + ".ipv4_network_mask"); ok { + Payload["ipv4-network-mask"] = v.(string) + } + if v, ok := d.GetOk("cluster_members." + strconv.Itoa(i) + ".ipv6_network_mask"); ok { + Payload["ipv6-network-mask"] = v.(string) + } + if v, ok := d.GetOk("cluster_members." + strconv.Itoa(i) + ".ipv4_mask_length"); ok { + Payload["ipv4-mask-length"] = v.(string) + } + if v, ok := d.GetOk("cluster_members." + strconv.Itoa(i) + ".ipv6_mask_length"); ok { + Payload["ipv6-mask-length"] = v.(string) + } + if v, ok := d.GetOk("cluster_members." + strconv.Itoa(i) + ".tags"); ok { + Payload["tags"] = v + } + if v, ok := d.GetOk("cluster_members." + strconv.Itoa(i) + ".color"); ok { + Payload["color"] = v.(string) + } + if v, ok := d.GetOk("cluster_members." + strconv.Itoa(i) + ".comments"); ok { + Payload["comments"] = v.(string) + } + clusterMembersPayload = append(clusterMembersPayload, Payload) + } + interfaceMap["cluster-members"] = clusterMembersPayload + } + } + + if v, ok := d.GetOk("cluster_network_type"); ok { + interfaceMap["cluster-network-type"] = v.(string) + } + + if v, ok := d.GetOkExists("dynamic_ip"); ok { + interfaceMap["dynamic-ip"] = v.(bool) + } + + if v, ok := d.GetOk("ipv4_address"); ok { + interfaceMap["ipv4-address"] = v.(string) + } + + if v, ok := d.GetOk("ipv4_mask_length"); ok { + interfaceMap["ipv4-mask-length"] = v.(int) + } + + if v, ok := d.GetOk("ipv4_network_mask"); ok { + interfaceMap["ipv4-network-mask"] = v.(string) + } + + if v, ok := d.GetOk("ipv6_address"); ok { + interfaceMap["ipv6-address"] = v.(string) + } + + if v, ok := d.GetOk("ipv6_mask_length"); ok { + interfaceMap["ipv6-mask-length"] = v.(int) + } + + if v, ok := d.GetOk("ipv6_network_mask"); ok { + interfaceMap["ipv6-network-mask"] = v.(string) + } + + if v, ok := d.GetOkExists("monitored_by_cluster"); ok { + interfaceMap["monitored-by-cluster"] = v.(bool) + } + + if v, ok := d.GetOk("network_interface_type"); ok { + interfaceMap["network-interface-type"] = v.(string) + } + + if _, ok := d.GetOk("security_zone_settings"); ok { + + res := make(map[string]interface{}) + + if v, ok := d.GetOk("security_zone_settings.0.auto_calculated"); ok { + res["auto-calculated"] = v + } + if v, ok := d.GetOk("security_zone_settings.0.specific_zone"); ok { + res["specific-zone"] = v + } + interfaceMap["security-zone-settings"] = res + } + + if v, ok := d.GetOk("tags"); ok { + interfaceMap["tags"] = v.(*schema.Set).List() + } + + if v, ok := d.GetOk("topology"); ok { + interfaceMap["topology"] = v.(string) + } + + if _, ok := d.GetOk("topology_settings"); ok { + + res := make(map[string]interface{}) + + if v, ok := d.GetOk("topology_settings.0.interface_leads_to_dmz"); ok { + res["interface-leads-to-dmz"] = v + } + if v, ok := d.GetOk("topology_settings.0.ip_address_behind_this_interface"); ok { + res["ip-address-behind-this-interface"] = v + } + if v, ok := d.GetOk("topology_settings.0.specific_network"); ok { + res["specific-network"] = v + } + if v, ok := d.GetOk("topology_settings.0.specific_network_uid"); ok { + res["specific-network-uid"] = v + } + interfaceMap["topology-settings"] = res + } + + if v, ok := d.GetOk("color"); ok { + interfaceMap["color"] = v.(string) + } + + if v, ok := d.GetOk("comments"); ok { + interfaceMap["comments"] = v.(string) + } + + if v, ok := d.GetOkExists("ignore_warnings"); ok { + interfaceMap["ignore-warnings"] = v.(bool) + } + + if v, ok := d.GetOkExists("ignore_errors"); ok { + interfaceMap["ignore-errors"] = v.(bool) + } + + log.Println("Create Interface - Map = ", interfaceMap) + + addInterfaceRes, err := client.ApiCall("add-interface", interfaceMap, client.GetSessionID(), true, false) + if err != nil || !addInterfaceRes.Success { + if addInterfaceRes.ErrorMsg != "" { + return fmt.Errorf(addInterfaceRes.ErrorMsg) + } + return fmt.Errorf(err.Error()) + } + + d.SetId(addInterfaceRes.GetData()["uid"].(string)) + + return readManagementInterface(d, m) +} + +func readManagementInterface(d *schema.ResourceData, m interface{}) error { + + client := m.(*checkpoint.ApiClient) + + payload := map[string]interface{}{ + "uid": d.Id(), + } + + showInterfaceRes, err := client.ApiCall("show-interface", payload, client.GetSessionID(), true, false) + if err != nil { + return fmt.Errorf(err.Error()) + } + if !showInterfaceRes.Success { + if objectNotFound(showInterfaceRes.GetData()["code"].(string)) { + d.SetId("") + return nil + } + return fmt.Errorf(showInterfaceRes.ErrorMsg) + } + + interfaceMap := showInterfaceRes.GetData() + + log.Println("Read Interface - Show JSON = ", interfaceMap) + + if v := interfaceMap["name"]; v != nil { + _ = d.Set("name", v) + } + + if v := interfaceMap["gateway"]; v != nil { + + gwObj := v.(map[string]interface{}) + if v := gwObj["uid"]; v != nil { + _ = d.Set("gateway_uid", v) + } + + } + + if v := interfaceMap["anti-spoofing"]; v != nil { + _ = d.Set("anti_spoofing", v) + } + + if interfaceMap["anti-spoofing-settings"] != nil { + + antiSpoofingSettingsMap := interfaceMap["anti-spoofing-settings"].(map[string]interface{}) + + antiSpoofingSettingsMapToReturn := make(map[string]interface{}) + + if v, _ := antiSpoofingSettingsMap["action"]; v != nil { + antiSpoofingSettingsMapToReturn["action"] = v + } + if v, _ := antiSpoofingSettingsMap["exclude-packets"]; v != nil { + antiSpoofingSettingsMapToReturn["exclude_packets"] = v + } + if v, _ := antiSpoofingSettingsMap["excluded-network-name"]; v != nil { + antiSpoofingSettingsMapToReturn["excluded_network_name"] = v + } + if v, _ := antiSpoofingSettingsMap["excluded-network-uid"]; v != nil { + antiSpoofingSettingsMapToReturn["excluded_network_uid"] = v + } + if v, _ := antiSpoofingSettingsMap["spoof-tracking"]; v != nil { + antiSpoofingSettingsMapToReturn["spoof_tracking"] = v + } + _ = d.Set("anti_spoofing_settings", []interface{}{antiSpoofingSettingsMapToReturn}) + } else { + _ = d.Set("anti_spoofing_settings", nil) + } + + if interfaceMap["cluster-members"] != nil { + + clusterMembersList, ok := interfaceMap["cluster-members"].([]interface{}) + + if ok { + + if len(clusterMembersList) > 0 { + + var clusterMembersListToReturn []map[string]interface{} + + for i := range clusterMembersList { + + clusterMembersMap := clusterMembersList[i].(map[string]interface{}) + + clusterMembersMapToAdd := make(map[string]interface{}) + + if v, _ := clusterMembersMap["name"]; v != nil { + clusterMembersMapToAdd["name"] = v + } + if v, _ := clusterMembersMap["member-uid"]; v != nil { + clusterMembersMapToAdd["member_uid"] = v + } + if v, _ := clusterMembersMap["member-name"]; v != nil { + clusterMembersMapToAdd["member_name"] = v + } + if v, _ := clusterMembersMap["ipv4-address"]; v != nil { + clusterMembersMapToAdd["ipv4_address"] = v + } + if v, _ := clusterMembersMap["ipv6-address"]; v != nil { + clusterMembersMapToAdd["ipv6_address"] = v + } + if v, _ := clusterMembersMap["network-mask"]; v != nil { + clusterMembersMapToAdd["network_mask"] = v + } + if v, _ := clusterMembersMap["ipv4-network-mask"]; v != nil { + clusterMembersMapToAdd["ipv4_network_mask"] = v + } + if v, _ := clusterMembersMap["ipv6-network-mask"]; v != nil { + clusterMembersMapToAdd["ipv6_network_mask"] = v + } + if v, _ := clusterMembersMap["ipv4-mask-length"]; v != nil { + clusterMembersMapToAdd["ipv4_mask_length"] = v + } + if v, _ := clusterMembersMap["ipv6-mask-length"]; v != nil { + clusterMembersMapToAdd["ipv6_mask_length"] = v + } + clusterMembersListToReturn = append(clusterMembersListToReturn, clusterMembersMapToAdd) + } + _ = d.Set("cluster_members", clusterMembersListToReturn) + } + } + } + + if v := interfaceMap["cluster-network-type"]; v != nil { + _ = d.Set("cluster_network_type", v) + } + + if v := interfaceMap["ipv4-address"]; v != nil { + _ = d.Set("ipv4_address", v) + } + + if v := interfaceMap["ipv4-mask-length"]; v != nil { + _ = d.Set("ipv4_mask_length", v) + } + + if v := interfaceMap["ipv4-network-mask"]; v != nil { + _ = d.Set("ipv4_network_mask", v) + } + + if v := interfaceMap["ipv6-address"]; v != nil { + _ = d.Set("ipv6_address", v) + } + + if v := interfaceMap["ipv6-mask-length"]; v != nil { + _ = d.Set("ipv6_mask_length", v) + } + + if v := interfaceMap["ipv6-network-mask"]; v != nil { + _ = d.Set("ipv6_network_mask", v) + } + + if v := interfaceMap["monitored-by-cluster"]; v != nil { + _ = d.Set("monitored_by_cluster", v) + } + + if v := interfaceMap["network-interface-type"]; v != nil { + _ = d.Set("network_interface_type", v) + } + + if interfaceMap["security-zone-settings"] != nil { + + securityZoneSettingsMap := interfaceMap["security-zone-settings"].(map[string]interface{}) + + securityZoneSettingsMapToReturn := make(map[string]interface{}) + + if v, _ := securityZoneSettingsMap["auto-calculated"]; v != nil { + securityZoneSettingsMapToReturn["auto_calculated"] = v + } + if v, _ := securityZoneSettingsMap["specific-zone"]; v != nil { + securityZoneSettingsMapToReturn["specific_zone"] = v + } + if v, _ := securityZoneSettingsMap["specific-zone-uid"]; v != nil { + securityZoneSettingsMapToReturn["specific_zone_uid"] = v + } + if v, _ := securityZoneSettingsMap["auto-calculated-zone"]; v != nil { + securityZoneSettingsMapToReturn["auto_calculated_zone"] = v + } + if v, _ := securityZoneSettingsMap["auto-calculated-zone-uid"]; v != nil { + securityZoneSettingsMapToReturn["auto_calculated_zone_uid"] = v + } + if v, _ := securityZoneSettingsMap["specific-security-zone-enabled"]; v != nil { + securityZoneSettingsMapToReturn["specific_security_zone_enabled"] = v + } + _ = d.Set("security_zone_settings", []interface{}{securityZoneSettingsMapToReturn}) + } else { + _ = d.Set("security_zone_settings", nil) + } + + if interfaceMap["tags"] != nil { + tagsJson, ok := interfaceMap["tags"].([]interface{}) + if ok { + tagsIds := make([]string, 0) + if len(tagsJson) > 0 { + for _, tags := range tagsJson { + tags := tags.(map[string]interface{}) + tagsIds = append(tagsIds, tags["name"].(string)) + } + } + _ = d.Set("tags", tagsIds) + } + } else { + _ = d.Set("tags", nil) + } + + if v := interfaceMap["topology"]; v != nil { + _ = d.Set("topology", v) + } + if v := interfaceMap["topology-automatic"]; v != nil { + _ = d.Set("topology_automatic", v) + } + if v := interfaceMap["topology-settings"]; v != nil { + _ = d.Set("topology_settings", v) + } + + if interfaceMap["topology-settings"] != nil { + + topologySettingsMap := interfaceMap["topology-settings"].(map[string]interface{}) + + topologySettingsMapToReturn := make(map[string]interface{}) + + if v, _ := topologySettingsMap["interface-leads-to-dmz"]; v != nil { + topologySettingsMapToReturn["interface_leads_to_dmz"] = v + } + if v, _ := topologySettingsMap["ip-address-behind-this-interface"]; v != nil { + topologySettingsMapToReturn["ip_address_behind_this_interface"] = v + } + if v, _ := topologySettingsMap["specific-network"]; v != nil { + topologySettingsMapToReturn["specific_network"] = v + } + if v, _ := topologySettingsMap["specific-network-uid"]; v != nil { + topologySettingsMapToReturn["specific_network_uid"] = v + } + _ = d.Set("topology_settings", []interface{}{topologySettingsMapToReturn}) + } else { + _ = d.Set("topology_settings", nil) + } + + if interfaceMap["topology-settings-automatic"] != nil { + + topologySettingsMap := interfaceMap["topology-settings-automatic"].(map[string]interface{}) + + topologySettingsMapToReturn := make(map[string]interface{}) + + if v, _ := topologySettingsMap["interface-leads-to-dmz"]; v != nil { + topologySettingsMapToReturn["interface_leads_to_dmz"] = v + } + if v, _ := topologySettingsMap["ip-address-behind-this-interface"]; v != nil { + topologySettingsMapToReturn["ip_address_behind_this_interface"] = v + } + if v, _ := topologySettingsMap["specific-network"]; v != nil { + topologySettingsMapToReturn["specific_network"] = v + } + if v, _ := topologySettingsMap["specific-network-uid"]; v != nil { + topologySettingsMapToReturn["specific_network_uid"] = v + } + _ = d.Set("topology_settings_automatic", []interface{}{topologySettingsMapToReturn}) + } else { + _ = d.Set("topology_settings_automatic", nil) + } + + if interfaceMap["topology-settings-manual"] != nil { + + topologySettingsMap := interfaceMap["topology-settings-manual"].(map[string]interface{}) + + topologySettingsMapToReturn := make(map[string]interface{}) + + if v, _ := topologySettingsMap["interface-leads-to-dmz"]; v != nil { + topologySettingsMapToReturn["interface_leads_to_dmz"] = v + } + if v, _ := topologySettingsMap["ip-address-behind-this-interface"]; v != nil { + topologySettingsMapToReturn["ip_address_behind_this_interface"] = v + } + if v, _ := topologySettingsMap["specific-network"]; v != nil { + topologySettingsMapToReturn["specific_network"] = v + } + if v, _ := topologySettingsMap["specific-network-uid"]; v != nil { + topologySettingsMapToReturn["specific_network_uid"] = v + } + _ = d.Set("topology_settings_manual", []interface{}{topologySettingsMapToReturn}) + } else { + _ = d.Set("topology_settings_manual", nil) + } + + if v := interfaceMap["color"]; v != nil { + _ = d.Set("color", v) + } + + if v := interfaceMap["comments"]; v != nil { + _ = d.Set("comments", v) + } + + if v := interfaceMap["ignore-warnings"]; v != nil { + _ = d.Set("ignore_warnings", v) + } + + if v := interfaceMap["ignore-errors"]; v != nil { + _ = d.Set("ignore_errors", v) + } + + return nil + +} + +func updateManagementInterface(d *schema.ResourceData, m interface{}) error { + + client := m.(*checkpoint.ApiClient) + interfaceMap := make(map[string]interface{}) + + if ok := d.HasChange("name"); ok { + oldName, newName := d.GetChange("name") + interfaceMap["name"] = oldName + interfaceMap["new-name"] = newName + } else { + interfaceMap["name"] = d.Get("name") + } + + if _, ok := d.GetOk("gateway_uid"); ok { + interfaceMap["gateway-uid"] = d.Get("gateway_uid") + } + + if v, ok := d.GetOkExists("anti_spoofing"); ok { + interfaceMap["anti-spoofing"] = v.(bool) + } + + if d.HasChange("anti_spoofing_settings") { + + if _, ok := d.GetOk("anti_spoofing_settings"); ok { + + res := make(map[string]interface{}) + + if d.GetOk("anti_spoofing_settings.0.action"); ok { + res["action"] = d.Get("anti_spoofing_settings.0.action") + } + if d.GetOk("anti_spoofing_settings.0.exclude_packets"); ok { + res["exclude-packets"] = d.Get("anti_spoofing_settings.0.exclude_packets") + } + if d.GetOk("anti_spoofing_settings.0.excluded_network_name"); ok { + res["excluded-network-name"] = d.Get("anti_spoofing_settings.0.excluded_network_name") + } + if d.GetOk("anti_spoofing_settings.0.excluded_network_uid"); ok { + res["excluded-network-uid"] = d.Get("anti_spoofing_settings.0.excluded_network_uid") + } + if d.GetOk("anti_spoofing_settings.0.spoof_tracking"); ok { + res["spoof-tracking"] = d.Get("anti_spoofing_settings.0.spoof_tracking") + } + interfaceMap["anti-spoofing-settings"] = res + } + } + + if d.HasChange("cluster_members") { + + if v, ok := d.GetOk("cluster_members"); ok { + + clusterMembersList := v.([]interface{}) + + var clusterMembersPayload []map[string]interface{} + + for i := range clusterMembersList { + + Payload := make(map[string]interface{}) + + if d.GetOk("cluster_members." + strconv.Itoa(i) + ".name"); ok { + Payload["name"] = d.Get("cluster_members." + strconv.Itoa(i) + ".name") + } + if d.GetOk("cluster_members." + strconv.Itoa(i) + ".member_uid"); ok { + Payload["member-uid"] = d.Get("cluster_members." + strconv.Itoa(i) + ".member_uid") + } + if d.GetOk("cluster_members." + strconv.Itoa(i) + ".member_name"); ok { + Payload["member-name"] = d.Get("cluster_members." + strconv.Itoa(i) + ".member_name") + } + if d.GetOk("cluster_members." + strconv.Itoa(i) + ".ipv4_address"); ok { + Payload["ipv4-address"] = d.Get("cluster_members." + strconv.Itoa(i) + ".ipv4_address") + } + if d.GetOk("cluster_members." + strconv.Itoa(i) + ".ipv6_address"); ok { + Payload["ipv6-address"] = d.Get("cluster_members." + strconv.Itoa(i) + ".ipv6_address") + } + if d.GetOk("cluster_members." + strconv.Itoa(i) + ".network_mask"); ok { + Payload["network-mask"] = d.Get("cluster_members." + strconv.Itoa(i) + ".network_mask") + } + if d.GetOk("cluster_members." + strconv.Itoa(i) + ".ipv4_network_mask"); ok { + Payload["ipv4-network-mask"] = d.Get("cluster_members." + strconv.Itoa(i) + ".ipv4_network_mask") + } + if d.GetOk("cluster_members." + strconv.Itoa(i) + ".ipv6_network_mask"); ok { + Payload["ipv6-network-mask"] = d.Get("cluster_members." + strconv.Itoa(i) + ".ipv6_network_mask") + } + if d.GetOk("cluster_members." + strconv.Itoa(i) + ".ipv4_mask_length"); ok { + Payload["ipv4-mask-length"] = d.Get("cluster_members." + strconv.Itoa(i) + ".ipv4_mask_length") + } + if d.GetOk("cluster_members." + strconv.Itoa(i) + ".ipv6_mask_length"); ok { + Payload["ipv6-mask-length"] = d.Get("cluster_members." + strconv.Itoa(i) + ".ipv6_mask_length") + } + if d.GetOk("cluster_members." + strconv.Itoa(i) + ".tags"); ok { + Payload["tags"] = d.Get("cluster_members." + strconv.Itoa(i) + ".tags") + } + if d.GetOk("cluster_members." + strconv.Itoa(i) + ".color"); ok { + Payload["color"] = d.Get("cluster_members." + strconv.Itoa(i) + ".color") + } + if d.HasChange("cluster_members." + strconv.Itoa(i) + ".comments") { + Payload["comments"] = d.Get("cluster_members." + strconv.Itoa(i) + ".comments") + } + + clusterMembersPayload = append(clusterMembersPayload, Payload) + } + interfaceMap["cluster-members"] = clusterMembersPayload + } else { + oldclusterMembers, _ := d.GetChange("cluster_members") + var clusterMembersToDelete []interface{} + for _, i := range oldclusterMembers.([]interface{}) { + clusterMembersToDelete = append(clusterMembersToDelete, i.(map[string]interface{})["name"].(string)) + } + interfaceMap["cluster-members"] = map[string]interface{}{"remove": clusterMembersToDelete} + } + } + + if ok := d.HasChange("cluster_network_type"); ok { + interfaceMap["cluster-network-type"] = d.Get("cluster_network_type") + } + + if v, ok := d.GetOkExists("dynamic_ip"); ok { + interfaceMap["dynamic-ip"] = v.(bool) + } + + if ok := d.HasChange("ipv4_address"); ok { + interfaceMap["ipv4-address"] = d.Get("ipv4_address") + } + + if ok := d.HasChange("ipv4_mask_length"); ok { + interfaceMap["ipv4-mask-length"] = d.Get("ipv4_mask_length") + } + + if ok := d.HasChange("ipv4_network_mask"); ok { + interfaceMap["ipv4-network-mask"] = d.Get("ipv4_network_mask") + } + + if ok := d.HasChange("ipv6_address"); ok { + interfaceMap["ipv6-address"] = d.Get("ipv6_address") + } + + if ok := d.HasChange("ipv6_mask_length"); ok { + interfaceMap["ipv6-mask-length"] = d.Get("ipv6_mask_length") + } + + if ok := d.HasChange("ipv6_network_mask"); ok { + interfaceMap["ipv6-network-mask"] = d.Get("ipv6_network_mask") + } + + if v, ok := d.GetOkExists("monitored_by_cluster"); ok { + interfaceMap["monitored-by-cluster"] = v.(bool) + } + + if ok := d.HasChange("network_interface_type"); ok { + interfaceMap["network-interface-type"] = d.Get("network_interface_type") + } + + if d.HasChange("security_zone_settings") { + + if _, ok := d.GetOk("security_zone_settings"); ok { + + res := make(map[string]interface{}) + + if d.GetOk("security_zone_settings.0.auto_calculated"); ok { + res["auto-calculated"] = d.Get("security_zone_settings.0.auto_calculated") + } + if d.GetOk("security_zone_settings.0.specific_zone"); ok { + res["specific-zone"] = d.Get("security_zone_settings.0.specific_zone") + } + + interfaceMap["security-zone-settings"] = res + } + } + + if d.HasChange("tags") { + if v, ok := d.GetOk("tags"); ok { + interfaceMap["tags"] = v.(*schema.Set).List() + } else { + oldTags, _ := d.GetChange("tags") + interfaceMap["tags"] = map[string]interface{}{"remove": oldTags.(*schema.Set).List()} + } + } + + if ok := d.HasChange("topology"); ok { + interfaceMap["topology"] = d.Get("topology") + } + + if d.HasChange("topology_settings") { + + if _, ok := d.GetOk("topology_settings"); ok { + + res := make(map[string]interface{}) + + if d.GetOk("topology_settings.0.interface_leads_to_dmz"); ok { + res["interface-leads-to-dmz"] = d.Get("topology_settings.0.interface_leads_to_dmz") + } + if d.GetOk("topology_settings.0.ip_address_behind_this_interface"); ok { + res["ip-address-behind-this-interface"] = d.Get("topology_settings.0.ip_address_behind_this_interface") + } + if d.GetOk("topology_settings.0.specific_network"); ok { + res["specific-network"] = d.Get("topology_settings.0.specific_network") + } + if d.GetOk("topology_settings.0.specific_network_uid"); ok { + res["specific-network-uid"] = d.Get("topology_settings.0.specific_network_uid") + } + interfaceMap["topology-settings"] = res + } + } + + if ok := d.HasChange("color"); ok { + interfaceMap["color"] = d.Get("color") + } + + if ok := d.HasChange("comments"); ok { + interfaceMap["comments"] = d.Get("comments") + } + + if v, ok := d.GetOkExists("ignore_warnings"); ok { + interfaceMap["ignore-warnings"] = v.(bool) + } + + if v, ok := d.GetOkExists("ignore_errors"); ok { + interfaceMap["ignore-errors"] = v.(bool) + } + + log.Println("Update Interface - Map = ", interfaceMap) + + updateInterfaceRes, err := client.ApiCall("set-interface", interfaceMap, client.GetSessionID(), true, false) + if err != nil || !updateInterfaceRes.Success { + if updateInterfaceRes.ErrorMsg != "" { + return fmt.Errorf(updateInterfaceRes.ErrorMsg) + } + return fmt.Errorf(err.Error()) + } + + return readManagementInterface(d, m) +} + +func deleteManagementInterface(d *schema.ResourceData, m interface{}) error { + + client := m.(*checkpoint.ApiClient) + + interfacePayload := map[string]interface{}{ + "uid": d.Id(), + } + + log.Println("Delete Interface") + + deleteInterfaceRes, err := client.ApiCall("delete-interface", interfacePayload, client.GetSessionID(), true, false) + if err != nil || !deleteInterfaceRes.Success { + if deleteInterfaceRes.ErrorMsg != "" { + return fmt.Errorf(deleteInterfaceRes.ErrorMsg) + } + return fmt.Errorf(err.Error()) + } + d.SetId("") + + return nil +} diff --git a/checkpoint/resource_checkpoint_management_interface_test.go b/checkpoint/resource_checkpoint_management_interface_test.go new file mode 100644 index 00000000..21bd8df3 --- /dev/null +++ b/checkpoint/resource_checkpoint_management_interface_test.go @@ -0,0 +1,138 @@ +package checkpoint + +import ( + "fmt" + checkpoint "github.com/CheckPointSW/cp-mgmt-api-go-sdk/APIFiles" + "github.com/hashicorp/terraform-plugin-sdk/helper/acctest" + "github.com/hashicorp/terraform-plugin-sdk/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/terraform" + "os" + "strings" + "testing" +) + +func TestAccCheckpointManagementInterface_basic(t *testing.T) { + + var interfaceMap map[string]interface{} + resourceName := "checkpoint_management_interface.test" + objName := "tfTestManagementInterface_" + acctest.RandString(6) + + context := os.Getenv("CHECKPOINT_CONTEXT") + if context != "web_api" { + t.Skip("Skipping management test") + } else if context == "" { + t.Skip("Env CHECKPOINT_CONTEXT must be specified to run this acc test") + } + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckpointManagementInterfaceDestroy, + Steps: []resource.TestStep{ + { + Config: testAccManagementInterfaceConfig(objName), + Check: resource.ComposeTestCheckFunc( + testAccCheckCheckpointManagementInterfaceExists(resourceName, &interfaceMap), + // testAccCheckCheckpointManagementInterfaceAttributes(&interfaceMap, objName), + ), + }, + }, + }) +} + +func testAccCheckpointManagementInterfaceDestroy(s *terraform.State) error { + + client := testAccProvider.Meta().(*checkpoint.ApiClient) + for _, rs := range s.RootModule().Resources { + if rs.Type != "checkpoint_management_interface" { + continue + } + if rs.Primary.ID != "" { + res, _ := client.ApiCall("show-interface", map[string]interface{}{"uid": rs.Primary.ID}, client.GetSessionID(), true, false) + if res.Success { + return fmt.Errorf("Interface object (%s) still exists", rs.Primary.ID) + } + } + return nil + } + return nil +} + +func testAccCheckCheckpointManagementInterfaceExists(resourceTfName string, res *map[string]interface{}) resource.TestCheckFunc { + return func(s *terraform.State) error { + + rs, ok := s.RootModule().Resources[resourceTfName] + if !ok { + return fmt.Errorf("Resource not found: %s", resourceTfName) + } + + if rs.Primary.ID == "" { + return fmt.Errorf("Interface ID is not set") + } + + client := testAccProvider.Meta().(*checkpoint.ApiClient) + + response, err := client.ApiCall("show-interface", map[string]interface{}{"uid": rs.Primary}, client.GetSessionID(), true, false) + if !response.Success { + return err + } + + *res = response.GetData() + + return nil + } +} + +func testAccCheckCheckpointManagementInterfaceAttributes(interfaceMap *map[string]interface{}, name string) resource.TestCheckFunc { + return func(s *terraform.State) error { + + interfaceName := (*interfaceMap)["name"].(string) + if !strings.EqualFold(interfaceName, name) { + return fmt.Errorf("name is %s, expected %s", name, interfaceName) + } + + return nil + } +} + +func testAccManagementInterfaceConfig(name string) string { + return fmt.Sprintf(` +resource "checkpoint_management_simple_gateway" "fw" { + name = "gw3" + ipv4_address = "192.0.2.1" +} + + +resource "checkpoint_management_interface" "test" { + name = "%s" + gateway_uid = "${checkpoint_management_simple_gateway.fw.id}" + ipv4_address = "1.1.1.114" + ipv4_mask_length = 24 + anti_spoofing_settings { + action = "detect" + exclude_packets = false + spoof_tracking = "log" + + } + + security_zone_settings { + auto_calculated = false + specific_zone = "InternalZone" + + } + topology_settings { + interface_leads_to_dmz = false + ip_address_behind_this_interface = "network defined by routing" + + } + topology = "internal" + network_interface_type = "ethernet" + cluster_members { + name = "eth4" + member_name = "member1" + ipv4_address = "192.168.1.2" + } + +} +`, name) +} diff --git a/checkpoint/resource_checkpoint_management_override_categorization.go b/checkpoint/resource_checkpoint_management_override_categorization.go new file mode 100644 index 00000000..c2766a45 --- /dev/null +++ b/checkpoint/resource_checkpoint_management_override_categorization.go @@ -0,0 +1,328 @@ +package checkpoint + +import ( + "fmt" + checkpoint "github.com/CheckPointSW/cp-mgmt-api-go-sdk/APIFiles" + "github.com/hashicorp/terraform-plugin-sdk/helper/schema" + "log" +) + +func resourceManagementOverrideCategorization() *schema.Resource { + return &schema.Resource{ + Create: createManagementOverrideCategorization, + Read: readManagementOverrideCategorization, + Update: updateManagementOverrideCategorization, + Delete: deleteManagementOverrideCategorization, + Schema: map[string]*schema.Schema{ + "url": { + Type: schema.TypeString, + Required: true, + Description: "The URL for which we want to update the category and risk definitions, the URL and the object name are the same for Override Categorization.", + }, + "url_defined_as_regular_expression": { + Type: schema.TypeBool, + Optional: true, + Description: "States whether the URL is defined as a Regular Expression or not.", + Default: false, + }, + "new_primary_category": { + Type: schema.TypeString, + Optional: true, + Description: "Uid or name of the primary category based on its most defining aspect.", + }, + "tags": { + Type: schema.TypeSet, + Optional: true, + Description: "Collection of tag identifiers.", + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "risk": { + Type: schema.TypeString, + Optional: true, + Description: "States the override categorization risk.", + }, + "additional_categories": { + Type: schema.TypeSet, + Optional: true, + Description: "Uid or name of the categories to override in the Application and URL Filtering or Threat Prevention.", + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, + "color": { + Type: schema.TypeString, + Optional: true, + Description: "Color of the object. Should be one of existing colors.", + Default: "black", + }, + "comments": { + Type: schema.TypeString, + Optional: true, + Description: "Comments string.", + }, + "ignore_warnings": { + Type: schema.TypeBool, + Optional: true, + Description: "Apply changes ignoring warnings.", + Default: false, + }, + "ignore_errors": { + Type: schema.TypeBool, + Optional: true, + Description: "Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.", + Default: false, + }, + }, + } +} + +func createManagementOverrideCategorization(d *schema.ResourceData, m interface{}) error { + client := m.(*checkpoint.ApiClient) + + overrideCategorization := make(map[string]interface{}) + + if v, ok := d.GetOk("url"); ok { + overrideCategorization["url"] = v.(string) + } + + if v, ok := d.GetOkExists("url_defined_as_regular_expression"); ok { + overrideCategorization["url-defined-as-regular-expression"] = v.(bool) + } + + if v, ok := d.GetOk("new_primary_category"); ok { + overrideCategorization["new-primary-category"] = v.(string) + } + + if v, ok := d.GetOk("tags"); ok { + overrideCategorization["tags"] = v.(*schema.Set).List() + } + + if v, ok := d.GetOk("risk"); ok { + overrideCategorization["risk"] = v.(string) + } + + if v, ok := d.GetOk("additional_categories"); ok { + overrideCategorization["additional-categories"] = v.(*schema.Set).List() + } + + if v, ok := d.GetOk("color"); ok { + overrideCategorization["color"] = v.(string) + } + + if v, ok := d.GetOk("comments"); ok { + overrideCategorization["comments"] = v.(string) + } + + if v, ok := d.GetOkExists("ignore_warnings"); ok { + overrideCategorization["ignore-warnings"] = v.(bool) + } + + if v, ok := d.GetOkExists("ignore_errors"); ok { + overrideCategorization["ignore-errors"] = v.(bool) + } + + log.Println("Create OverrideCategorization - Map = ", overrideCategorization) + + addOverrideCategorizationRes, err := client.ApiCall("add-override-categorization", overrideCategorization, client.GetSessionID(), true, false) + if err != nil || !addOverrideCategorizationRes.Success { + if addOverrideCategorizationRes.ErrorMsg != "" { + return fmt.Errorf(addOverrideCategorizationRes.ErrorMsg) + } + return fmt.Errorf(err.Error()) + } + + d.SetId(addOverrideCategorizationRes.GetData()["uid"].(string)) + + return readManagementOverrideCategorization(d, m) +} + +func readManagementOverrideCategorization(d *schema.ResourceData, m interface{}) error { + + client := m.(*checkpoint.ApiClient) + + payload := map[string]interface{}{} + + if v, ok := d.GetOk("url"); ok { + payload["url"] = v + } else { + payload["uid"] = d.Id() + } + + showOverrideCategorizationRes, err := client.ApiCall("show-override-categorization", payload, client.GetSessionID(), true, false) + if err != nil { + return fmt.Errorf(err.Error()) + } + if !showOverrideCategorizationRes.Success { + if objectNotFound(showOverrideCategorizationRes.GetData()["code"].(string)) { + d.SetId("") + return nil + } + return fmt.Errorf(showOverrideCategorizationRes.ErrorMsg) + } + + overrideCategorization := showOverrideCategorizationRes.GetData() + + log.Println("Read OverrideCategorization - Show JSON = ", overrideCategorization) + + if v := overrideCategorization["uid"]; v != nil { + _ = d.Set("uid", v) + d.SetId(v.(string)) + } + if v := overrideCategorization["url"]; v != nil { + _ = d.Set("url", v) + } + + if v := overrideCategorization["url-defined-as-regular-expression"]; v != nil { + _ = d.Set("url_defined_as_regular_expression", v) + } + + if v := overrideCategorization["new-primary-category"]; v != nil { + objMap := v.(map[string]interface{}) + if v := objMap["name"]; v != nil { + _ = d.Set("new_primary_category", v) + } + } + + if overrideCategorization["tags"] != nil { + tagsJson, ok := overrideCategorization["tags"].([]interface{}) + if ok { + tagsIds := make([]string, 0) + if len(tagsJson) > 0 { + for _, tags := range tagsJson { + tags := tags.(map[string]interface{}) + tagsIds = append(tagsIds, tags["name"].(string)) + } + } + _ = d.Set("tags", tagsIds) + } + } else { + _ = d.Set("tags", nil) + } + + if v := overrideCategorization["risk"]; v != nil { + _ = d.Set("risk", v) + } + + if overrideCategorization["additional_categories"] != nil { + additionalCategoriesJson, ok := overrideCategorization["additional_categories"].([]interface{}) + if ok { + additionalCategoriesIds := make([]string, 0) + if len(additionalCategoriesJson) > 0 { + for _, additional_categories := range additionalCategoriesJson { + additional_categories := additional_categories.(map[string]interface{}) + additionalCategoriesIds = append(additionalCategoriesIds, additional_categories["name"].(string)) + } + } + _ = d.Set("additional_categories", additionalCategoriesIds) + } + } else { + _ = d.Set("additional_categories", nil) + } + + if v := overrideCategorization["color"]; v != nil { + _ = d.Set("color", v) + } + + if v := overrideCategorization["comments"]; v != nil { + _ = d.Set("comments", v) + } + + return nil + +} + +func updateManagementOverrideCategorization(d *schema.ResourceData, m interface{}) error { + + client := m.(*checkpoint.ApiClient) + overrideCategorization := make(map[string]interface{}) + + if ok := d.HasChange("url"); ok { + oldName, newName := d.GetChange("url") + overrideCategorization["url"] = oldName + overrideCategorization["new-url"] = newName + } else { + overrideCategorization["url"] = d.Get("url") + } + + if v, ok := d.GetOkExists("url_defined_as_regular_expression"); ok { + overrideCategorization["url-defined-as-regular-expression"] = v.(bool) + } + + if ok := d.HasChange("new_primary_category"); ok { + overrideCategorization["new-primary-category"] = d.Get("new_primary_category") + } + + if d.HasChange("tags") { + if v, ok := d.GetOk("tags"); ok { + overrideCategorization["tags"] = v.(*schema.Set).List() + } else { + oldTags, _ := d.GetChange("tags") + overrideCategorization["tags"] = map[string]interface{}{"remove": oldTags.(*schema.Set).List()} + } + } + + if ok := d.HasChange("risk"); ok { + overrideCategorization["risk"] = d.Get("risk") + } + + if d.HasChange("additional_categories") { + if v, ok := d.GetOk("additional_categories"); ok { + overrideCategorization["additional-categories"] = v.(*schema.Set).List() + } else { + oldAdditional_Categories, _ := d.GetChange("additional_categories") + overrideCategorization["additional-categories"] = map[string]interface{}{"remove": oldAdditional_Categories.(*schema.Set).List()} + } + } + + if ok := d.HasChange("color"); ok { + overrideCategorization["color"] = d.Get("color") + } + + if ok := d.HasChange("comments"); ok { + overrideCategorization["comments"] = d.Get("comments") + } + + if v, ok := d.GetOkExists("ignore_warnings"); ok { + overrideCategorization["ignore-warnings"] = v.(bool) + } + + if v, ok := d.GetOkExists("ignore_errors"); ok { + overrideCategorization["ignore-errors"] = v.(bool) + } + + log.Println("Update OverrideCategorization - Map = ", overrideCategorization) + + updateOverrideCategorizationRes, err := client.ApiCall("set-override-categorization", overrideCategorization, client.GetSessionID(), true, false) + if err != nil || !updateOverrideCategorizationRes.Success { + if updateOverrideCategorizationRes.ErrorMsg != "" { + return fmt.Errorf(updateOverrideCategorizationRes.ErrorMsg) + } + return fmt.Errorf(err.Error()) + } + + return readManagementOverrideCategorization(d, m) +} + +func deleteManagementOverrideCategorization(d *schema.ResourceData, m interface{}) error { + + client := m.(*checkpoint.ApiClient) + + overrideCategorizationPayload := map[string]interface{}{ + "uid": d.Id(), + } + + log.Println("Delete OverrideCategorization") + + deleteOverrideCategorizationRes, err := client.ApiCall("delete-override-categorization", overrideCategorizationPayload, client.GetSessionID(), true, false) + if err != nil || !deleteOverrideCategorizationRes.Success { + if deleteOverrideCategorizationRes.ErrorMsg != "" { + return fmt.Errorf(deleteOverrideCategorizationRes.ErrorMsg) + } + return fmt.Errorf(err.Error()) + } + d.SetId("") + + return nil +} diff --git a/checkpoint/resource_checkpoint_management_override_categorization_test.go b/checkpoint/resource_checkpoint_management_override_categorization_test.go new file mode 100644 index 00000000..0c53208c --- /dev/null +++ b/checkpoint/resource_checkpoint_management_override_categorization_test.go @@ -0,0 +1,110 @@ +package checkpoint + +import ( + "fmt" + checkpoint "github.com/CheckPointSW/cp-mgmt-api-go-sdk/APIFiles" + "github.com/hashicorp/terraform-plugin-sdk/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/terraform" + "os" + "strings" + "testing" +) + +func TestAccCheckpointManagementOverrideCategorization_basic(t *testing.T) { + + var overrideCategorizationMap map[string]interface{} + resourceName := "checkpoint_management_override_categorization.test" + context := os.Getenv("CHECKPOINT_CONTEXT") + if context != "web_api" { + t.Skip("Skipping management test") + } else if context == "" { + t.Skip("Env CHECKPOINT_CONTEXT must be specified to run this acc test") + } + + resource.Test(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckpointManagementOverrideCategorizationDestroy, + Steps: []resource.TestStep{ + { + Config: testAccManagementOverrideCategorizationConfig("adam3", "Botnets", "low"), + Check: resource.ComposeTestCheckFunc( + testAccCheckCheckpointManagementOverrideCategorizationExists(resourceName, &overrideCategorizationMap), + testAccCheckCheckpointManagementOverrideCategorizationAttributes(&overrideCategorizationMap, "adam3", "Botnets", "low"), + ), + }, + }, + }) +} + +func testAccCheckpointManagementOverrideCategorizationDestroy(s *terraform.State) error { + + client := testAccProvider.Meta().(*checkpoint.ApiClient) + for _, rs := range s.RootModule().Resources { + if rs.Type != "checkpoint_management_override_categorization" { + continue + } + if rs.Primary.ID != "" { + res, _ := client.ApiCall("show-override-categorization", map[string]interface{}{"uid": rs.Primary.ID}, client.GetSessionID(), true, false) + if res.Success { + return fmt.Errorf("OverrideCategorization object (%s) still exists", rs.Primary.ID) + } + } + return nil + } + return nil +} + +func testAccCheckCheckpointManagementOverrideCategorizationExists(resourceTfName string, res *map[string]interface{}) resource.TestCheckFunc { + return func(s *terraform.State) error { + + rs, ok := s.RootModule().Resources[resourceTfName] + if !ok { + return fmt.Errorf("Resource not found: %s", resourceTfName) + } + + if rs.Primary.ID == "" { + return fmt.Errorf("OverrideCategorization ID is not set") + } + + client := testAccProvider.Meta().(*checkpoint.ApiClient) + + response, err := client.ApiCall("show-override-categorization", map[string]interface{}{"uid": rs.Primary.ID}, client.GetSessionID(), true, false) + if !response.Success { + return err + } + + *res = response.GetData() + + return nil + } +} + +func testAccCheckCheckpointManagementOverrideCategorizationAttributes(overrideCategorizationMap *map[string]interface{}, url string, newPrimaryCategory string, risk string) resource.TestCheckFunc { + return func(s *terraform.State) error { + + overrideCategorizationUrl := (*overrideCategorizationMap)["url"].(string) + if !strings.EqualFold(overrideCategorizationUrl, url) { + return fmt.Errorf("url is %s, expected %s", url, overrideCategorizationUrl) + } + /**overrideCategorizationNewPrimaryCategory := (*overrideCategorizationMap)["new-primary-category"].(string) + if !strings.EqualFold(overrideCategorizationNewPrimaryCategory, newPrimaryCategory) { + return fmt.Errorf("newPrimaryCategory is %s, expected %s", newPrimaryCategory, overrideCategorizationNewPrimaryCategory) + }*/ + overrideCategorizationRisk := (*overrideCategorizationMap)["risk"].(string) + if !strings.EqualFold(overrideCategorizationRisk, risk) { + return fmt.Errorf("risk is %s, expected %s", risk, overrideCategorizationRisk) + } + return nil + } +} + +func testAccManagementOverrideCategorizationConfig(url string, newPrimaryCategory string, risk string) string { + return fmt.Sprintf(` +resource "checkpoint_management_override_categorization" "test" { + url = "%s" + new_primary_category = "%s" + risk = "%s" +} +`, url, newPrimaryCategory, risk) +} diff --git a/website/checkpoint.erb b/website/checkpoint.erb index 65a5e1c1..6be6bb8b 100644 --- a/website/checkpoint.erb +++ b/website/checkpoint.erb @@ -613,6 +613,9 @@ > checkpoint_management_resource_cifs + > + checkpoint_management_interface + @@ -1108,6 +1111,9 @@ > checkpoint_management_resource_cifs + > + checkpoint_management_interface + diff --git a/website/docs/d/checkpoint_management_interface.html.markdown b/website/docs/d/checkpoint_management_interface.html.markdown new file mode 100644 index 00000000..dc24cc39 --- /dev/null +++ b/website/docs/d/checkpoint_management_interface.html.markdown @@ -0,0 +1,119 @@ +--- +layout: "checkpoint" +page_title: "checkpoint_management_interface" +sidebar_current: "docs-checkpoint-resource-checkpoint-management-interface" +description: |- +Use this data source to get information on an existing Check Point Interface. +--- + +# checkpoint_management_interface + +Use this data source to get information on an existing Check Point Interface. + +## Example Usage + + +```hcl +resource "checkpoint_management_interface" "example" { + name = "eth0" + ipv4_address = "1.1.1.111" + ipv4_mask_length = 24 + gateway_uid = "20ec49e8-8cd8-4ad4-b204-0de8ae4e0e17" + topology = "internal" + cluster_network_type = "cluster" + anti_spoofing = true + ignore_warnings = false +} + +data "checkpoint_management_interface" "data" { + name = "${checkpoint_management_interface.example.name}" + gateway_uid = "${checkpoint_management_interface.example.gateway_uid}" +} +``` + +## Argument Reference + +The following arguments are supported: + +* `name` - (Optional) Object name. +* `uid` - (Optional) Object unique identifier. +* `gateway_uid` - (Optional) Gateway or cluster object uid that the interface belongs to. Required only if name was specified. +* `anti_spoofing` - Enable anti-spoofing. +* `anti_spoofing_settings` - Anti Spoofing Settings.anti_spoofing_settings blocks are documented below. +* `cluster_members` - Network interface settings for cluster members.cluster_members blocks are documented below. +* `cluster_network_type` -Cluster interface type. +* `dynamic_ip` - Enable dynamic interface. +* `ipv4_address` -IPv4 network address. +* `ipv4_mask_length` - IPv4 mask length. +* `ipv4_network_mask` - IPv4 network mask. +* `ipv6_address` - IPv6 address. +* `ipv6_mask_length` - IPv6 mask length. +* `ipv6_network_mask` - IPv6 network mask. +* `monitored_by_cluster` - When Private is selected as the Cluster interface type, cluster can monitor or not monitor the interface. +* `network_interface_type` - Network Interface Type. +* `security_zone_settings` -Security Zone Settings.security_zone_settings blocks are documented below. +* `tags` - Collection of tag identifiers.tags blocks are documented below. +* `topology` - Topology configuration. +* `topology_automatic` - Topology configuration automatically calculated by get-interfaces command. +* `topology_manual` - Topology configuration manually defined. +* `topology_settings` - Topology Settings.topology_settings blocks are documented below. +* `topology_settings_automatic` - Topology settings automatically calculated by get-interfaces command. +* `topology_settings_manual` - Topology settings manually defined. +* `color` - Color of the object. Should be one of existing colors. +* `comments` - Comments string. + + +`anti_spoofing_settings` supports the following: + +* `action` - If packets will be rejected (the Prevent option) or whether the packets will be monitored (the Detect option). +* `exclude_packets` - Don't check packets from excluded network. +* `excluded_network_name` - Excluded network name. +* `excluded_network_uid` - Excluded network UID. +* `spoof_tracking` - Spoof tracking. + + +`cluster_members` supports the following: + +* `name` - Cluster member network interface name. +* `member_uid` - Cluster member object uid. +* `member_name` - Cluster member object name. +* `ipv4_address` - IPv4 address. +* `ipv6_address` - IPv6 address. +* `network_mask` - IPv4 or IPv6 network mask. If both masks are required use ipv4-network-mask and ipv6-network-mask fields explicitly. Instead of providing mask itself it is possible to specify IPv4 or IPv6 mask length in mask-length field. If both masks length are required use ipv4-mask-length and ipv6-mask-length fields explicitly. +* `ipv4_network_mask` - IPv4 network address. +* `ipv6_network_mask` - IPv6 network address. +* `ipv4_mask_length` - IPv4 network mask length. +* `ipv6_mask_length` - IPv6 network mask length. + + + +`security_zone_settings` supports the following: + +* `auto_calculated` - Security Zone is calculated according to where the interface leads to. +* `specific_zone` - Security Zone specified manually. +* `auto_calculated_zone` - N/A +* `auto_calculated_zone_uid` - N/A +* `specific_security_zone_enabled` - N/A + + +`topology_settings` supports the following: + +* `interface_leads_to_dmz` - Whether this interface leads to demilitarized zone (perimeter network). +* `ip_address_behind_this_interface` - Network settings behind this interface. +* `specific_network` - Network behind this interface. +* `specific_network_uid` - N/A + +`topology_settings_automatic` supports the following: + +* `interface_leads_to_dmz` - Whether this interface leads to demilitarized zone (perimeter network). +* `ip_address_behind_this_interface` - Network settings behind this interface. +* `specific_network` - Network behind this interface. +* `specific_network_uid` - N/A + + +`topology_settings_manual` supports the following: + +* `interface_leads_to_dmz` - Whether this interface leads to demilitarized zone (perimeter network). +* `ip_address_behind_this_interface` - Network settings behind this interface. +* `specific_network` - Network behind this interface. +* `specific_network_uid` - N/A diff --git a/website/docs/d/checkpoint_management_internal_trusted_ca.html.markdown b/website/docs/d/checkpoint_management_internal_trusted_ca.html.markdown index 4fcd7c56..eeb64b67 100644 --- a/website/docs/d/checkpoint_management_internal_trusted_ca.html.markdown +++ b/website/docs/d/checkpoint_management_internal_trusted_ca.html.markdown @@ -4,8 +4,7 @@ page_title: "checkpoint_management_internal_trusted_ca" sidebar_current: "docs-checkpoint-resource-checkpoint-management-internal-trusted-ca" description: |- Use this data source to get information on an existing Check Point Internal Trusted Ca. -Use this data source to get information on an existing Check Point Internal Trusted Ca. -Use this data source to get information on an existing Check Point Internal Trusted Ca. + --- # checkpoint_management_internal_trusted_ca diff --git a/website/docs/d/checkpoint_management_override_categorization.html.markdown b/website/docs/d/checkpoint_management_override_categorization.html.markdown new file mode 100644 index 00000000..33acf6b5 --- /dev/null +++ b/website/docs/d/checkpoint_management_override_categorization.html.markdown @@ -0,0 +1,39 @@ +--- +layout: "checkpoint" +page_title: "checkpoint_management_override_categorization" +sidebar_current: "docs-checkpoint-resource-checkpoint-management-override-categorization" +description: |- +Use this data source to get information on an existing Check Point Override Categorization. +--- + +# Data Source: checkpoint_management_override_categorization + +Use this data source to get information on an existing Check Point Override Categorization. + +## Example Usage + +```hcl +resource "checkpoint_management_override_categorization" "example" { + url = "newOverride" + new_primary_category = "Botnets" + risk = "low" +} +data "checkpoint_management_override_categorization" "data" { + url = "${checkpoint_management_override_categorization.example.url}" +} +``` + +## Argument Reference + +The following arguments are supported: + +* `uid` - (Optional) Object unique identifier. +* `url` - (Optional) The URL for which we want to update the category and risk definitions, the URL and the object name are the same for Override Categorization. +* `url_defined_as_regular_expression` - States whether the URL is defined as a Regular Expression or not. +* `new_primary_category` - Uid or name of the primary category based on its most defining aspect. +* `tags` - Collection of tag identifiers. +* `risk` - States the override categorization risk. +* `additional_categories` - Uid or name of the categories to override in the Application and URL Filtering or Threat Prevention. +* `color` - Color of the object. Should be one of existing colors. +* `comments` - Comments string. + diff --git a/website/docs/r/checkpoint_management_interface.html.markdown b/website/docs/r/checkpoint_management_interface.html.markdown new file mode 100644 index 00000000..ea50df54 --- /dev/null +++ b/website/docs/r/checkpoint_management_interface.html.markdown @@ -0,0 +1,119 @@ +--- +layout: "checkpoint" +page_title: "checkpoint_management_interface" +sidebar_current: "docs-checkpoint-resource-checkpoint-management-interface" +description: |- +This resource allows you to execute Check Point Interface. +--- + +# checkpoint_management_interface + +This resource allows you to execute Check Point Interface. + +## Example Usage + + +```hcl +resource "checkpoint_management_interface" "example" { + name = "eth0" + ipv4_address = "1.1.1.111" + ipv4_mask_length = 24 + gateway_uid = "20ec49e8-8cd8-4ad4-b204-0de8ae4e0e17" + topology = "internal" + cluster_network_type = "cluster" + anti_spoofing = true + ignore_warnings = false +} +``` + +## Argument Reference + +The following arguments are supported: + +* `name` - (Required) Network interface name. +* `gateway_uid` - (Required) Gateway or cluster object uid that the interface belongs to. Required only if name was specified. +* `anti_spoofing` - (Optional) Enable anti-spoofing. +* `anti_spoofing_settings` - (Optional) Anti Spoofing Settings.anti_spoofing_settings blocks are documented below. +* `cluster_members` - (Optional) Network interface settings for cluster members.cluster_members blocks are documented below. +* `cluster_network_type` - (Optional) Cluster interface type. +* `dynamic_ip` - (Optional) Enable dynamic interface. +* `ipv4_address` - (Optional) IPv4 network address. +* `ipv4_mask_length` - (Optional) IPv4 mask length. +* `ipv4_network_mask` - (Optional) IPv4 network mask. +* `ipv6_address` - (Optional) IPv6 address. +* `ipv6_mask_length` - (Optional) IPv6 mask length. +* `ipv6_network_mask` - (Optional) IPv6 network mask. +* `monitored_by_cluster` - (Optional) When Private is selected as the Cluster interface type, cluster can monitor or not monitor the interface. +* `network_interface_type` - (Optional) Network Interface Type. +* `security_zone_settings` - (Optional) Security Zone Settings.security_zone_settings blocks are documented below. +* `tags` - (Optional) Collection of tag identifiers.tags blocks are documented below. +* `topology` - (Optional) Topology configuration. +* `topology_automatic` - Topology configuration automatically calculated by get-interfaces command. +* `topology_manual` - Topology configuration manually defined. +* `topology_settings` - (Optional) Topology Settings.topology_settings blocks are documented below. +* `topology_settings_automatic` - Topology settings automatically calculated by get-interfaces command. +* `topology_settings_manual` - Topology settings manually defined. +* `color` - (Optional) Color of the object. Should be one of existing colors. +* `comments` - (Optional) Comments string. +* `ignore_warnings` - (Optional) Apply changes ignoring warnings. +* `ignore_errors` - (Optional) Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored. + + +`anti_spoofing_settings` supports the following: + +* `action` - (Optional) If packets will be rejected (the Prevent option) or whether the packets will be monitored (the Detect option). +* `exclude_packets` - (Optional) Don't check packets from excluded network. +* `excluded_network_name` - (Optional) Excluded network name. +* `excluded_network_uid` - (Optional) Excluded network UID. +* `spoof_tracking` - (Optional) Spoof tracking. + + +`cluster_members` supports the following: + +* `name` - (Optional) Cluster member network interface name. +* `member_uid` - (Optional) Cluster member object uid. +* `member_name` - (Optional) Cluster member object name. +* `ipv4_address` - (Optional) IPv4 address. +* `ipv6_address` - (Optional) IPv6 address. +* `network_mask` - (Optional) IPv4 or IPv6 network mask. If both masks are required use ipv4-network-mask and ipv6-network-mask fields explicitly. Instead of providing mask itself it is possible to specify IPv4 or IPv6 mask length in mask-length field. If both masks length are required use ipv4-mask-length and ipv6-mask-length fields explicitly. +* `ipv4_network_mask` - (Optional) IPv4 network address. +* `ipv6_network_mask` - (Optional) IPv6 network address. +* `ipv4_mask_length` - (Optional) IPv4 network mask length. +* `ipv6_mask_length` - (Optional) IPv6 network mask length. +* `tags` - (Optional) Collection of tag identifiers.tags blocks are documented below. +* `color` - (Optional) Color of the object. Should be one of existing colors. +* `comments` - (Optional) Comments string. +* `ignore_warnings` - (Optional) Apply changes ignoring warnings. +* `ignore_errors` - (Optional) Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored. + + +`security_zone_settings` supports the following: + +* `auto_calculated` - (Optional) Security Zone is calculated according to where the interface leads to. +* `specific_zone` - (Optional) Security Zone specified manually. +* `auto_calculated_zone` - (Optional) N/A +* `auto_calculated_zone_uid` - (Optional) N/A +* `specific_security_zone_enabled` - (Optional) N/A + + +`topology_settings` supports the following: + +* `interface_leads_to_dmz` - (Optional) Whether this interface leads to demilitarized zone (perimeter network). +* `ip_address_behind_this_interface` - (Optional) Network settings behind this interface. +* `specific_network` - (Optional) Network behind this interface. +* `specific_network_uid` - (Optional) N/A + +`topology_settings_automatic` supports the following: + +* `interface_leads_to_dmz` - Whether this interface leads to demilitarized zone (perimeter network). +* `ip_address_behind_this_interface` - Network settings behind this interface. +* `specific_network` - Network behind this interface. +* `specific_network_uid` - N/A + + +`topology_settings_manual` supports the following: + +* `interface_leads_to_dmz` - Whether this interface leads to demilitarized zone (perimeter network). +* `ip_address_behind_this_interface` - Network settings behind this interface. +* `specific_network` - Network behind this interface. +* `specific_network_uid` - N/A \ No newline at end of file diff --git a/website/docs/r/checkpoint_management_override_categorization.html.markdown b/website/docs/r/checkpoint_management_override_categorization.html.markdown new file mode 100644 index 00000000..1e0cba9f --- /dev/null +++ b/website/docs/r/checkpoint_management_override_categorization.html.markdown @@ -0,0 +1,37 @@ +--- +layout: "checkpoint" +page_title: "checkpoint_management_override_categorization" +sidebar_current: "docs-checkpoint-resource-checkpoint-management-override-categorization" +description: |- +This resource allows you to execute Check Point Override Categorization. +--- + +# checkpoint_management_override_categorization + +This resource allows you to execute Check Point Override Categorization. + +## Example Usage + + +```hcl +resource "checkpoint_management_override_categorization" "example" { + url = "newOverride" + new_primary_category = "Botnets" + risk = "low" +} +``` + +## Argument Reference + +The following arguments are supported: + +* `url` - (Required) The URL for which we want to update the category and risk definitions, the URL and the object name are the same for Override Categorization. +* `url_defined_as_regular_expression` - (Optional) States whether the URL is defined as a Regular Expression or not. +* `new_primary_category` - (Optional) Uid or name of the primary category based on its most defining aspect. +* `tags` - (Optional) Collection of tag identifiers. +* `risk` - (Optional) States the override categorization risk. +* `additional_categories` - (Optional) Uid or name of the categories to override in the Application and URL Filtering or Threat Prevention. +* `color` - (Optional) Color of the object. Should be one of existing colors. +* `comments` - (Optional) Comments string. +* `ignore_warnings` - (Optional) Apply changes ignoring warnings. +* `ignore_errors` - (Optional) Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored. From 22b383cf1316a8596baff8a16a59f8e984418f3f Mon Sep 17 00:00:00 2001 From: adambar Date: Wed, 28 Aug 2024 12:14:34 +0300 Subject: [PATCH 2/2] amending erb file --- website/checkpoint.erb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/website/checkpoint.erb b/website/checkpoint.erb index 6be6bb8b..8969b4bb 100644 --- a/website/checkpoint.erb +++ b/website/checkpoint.erb @@ -616,6 +616,9 @@ > checkpoint_management_interface + > + checkpoint_management_override_categorization + @@ -1114,6 +1117,9 @@ > checkpoint_management_interface + > + checkpoint_management_override_categorization +