CheckPointSW
checkpoint_management_service_tcp - cannot delete object if part of a group
Hello,
Seems ignore_warnings = true does not work for the resource checkpoint_management_service_tcp because I can't delete the object if part of the group, similar as issue 135 i believe.
resource "checkpoint_management_service_tcp" "tcp_service" {
for_each = var.clients
name = "tcp_${each.key}"
port = "${each.value.remote_port}"
session_timeout = 3600
match_for_any = true
sync_connections_on_cluster = true
ignore_warnings = true
aggressive_aging = {
enable = true
timeout = 360
use_default_timeout = false
}
keep_connections_open_after_policy_installation = true
tags = []
lifecycle {
precondition {
condition = (
each.value["remote_port"] >= 1000 &&
each.value["remote_port"] <= 65000
)
error_message = "Port number must be between 1000 and 65000"
}
}
}
resource "checkpoint_management_service_group" "smpp_services" {
name = "smpp_services"
ignore_warnings = true
members = values(checkpoint_management_service_tcp.tcp_service)[*].name
depends_on = [ checkpoint_management_service_tcp.tcp_service ]
lifecycle {
replace_triggered_by = [ checkpoint_management_service_tcp.tcp_service ]
}
}
At apply the delete of the tcp_service instance happens before the update-in-place of smpp_services so the API gives this error: │ Error: failed to execute API call │ Status: 409 Conflict │ Code: generic_err_object_deletion │ Message: Object tcp_client_3 could not be deleted because it is referenced by other objects, run where-used command for details │
HI @pr0c4 this the current behavior of a tcp_service. if we have a service that is part of a group it cannot be deleted even if where to choose ignore-warnings. thanks
ok, then is it possible to have the provide do the update-in-place of the group before doing the delete of the host ?
Hi at the moment it is not supported by the API and so not supported on the provider that reflects the API. you can open an RFE for Check-Point to include that capability in the API itself. thanks