{"id":19873076,"url":"https://github.com/checkpointsw/terraform-checkpoint-dynobj-nia","last_synced_at":"2025-05-02T09:31:32.893Z","repository":{"id":54627753,"uuid":"303767542","full_name":"CheckPointSW/terraform-checkpoint-dynobj-nia","owner":"CheckPointSW","description":"Check Point Software Technologies Dynamic Objects module for Network Infrastructure Automation (NIA)","archived":false,"fork":false,"pushed_at":"2022-03-15T12:31:17.000Z","size":11026,"stargazers_count":7,"open_issues_count":1,"forks_count":5,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-04-07T00:51:12.572Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CheckPointSW.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-10-13T16:40:19.000Z","updated_at":"2025-03-20T10:53:49.000Z","dependencies_parsed_at":"2022-08-13T22:00:44.407Z","dependency_job_id":null,"html_url":"https://github.com/CheckPointSW/terraform-checkpoint-dynobj-nia","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CheckPointSW%2Fterraform-checkpoint-dynobj-nia","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CheckPointSW%2Fterraform-checkpoint-dynobj-nia/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CheckPointSW%2Fterraform-checkpoint-dynobj-nia/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CheckPointSW%2Fterraform-checkpoint-dynobj-nia/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CheckPointSW","download_url":"https://codeload.github.com/CheckPointSW/terraform-checkpoint-dynobj-nia/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252015833,"owners_count":21680831,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-12T16:17:43.234Z","updated_at":"2025-05-02T09:31:31.481Z","avatar_url":"https://github.com/CheckPointSW.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Check Point Software Technologies Dynamic Objects module for Network Infrastructure Automation (NIA)\n\nThis Terraform module allows users to support **Dynamic Firewalling** by integrating [Consul](https://www.consul.io/) with Check Point Software Technologies Cloud and Network-based [**Security Gateway**](https://www.checkpoint.com/solutions/network-security/) devices to dynamically manage registration/de-registration of **Dynamic Objects** based on services in Consul catalog.  \n\nUsing this Terraform module in conjunction with **consul-terraform-sync** enables teams to reduce manual ticketing processes and automate Day-2 operations related to application scale up/down in a way that is both declarative and repeatable across the organization and multiple **Check Point Firewalls**. This integration will allow teams to quickly deploy applications while cutting down on security operation overhead which is also prone to human error. With predefined security policies in Check Point Gateways, this can also eliminate the lengthy change management process as service updates do not require a policy install.\n\n#### Note: This Terraform module is designed to be used only with **consul-terraform-sync**\n\n## Feature\nThis module supports the following:\n* Create, update and delete Dynamic Objects based on name and IP address for the service in Consul catalog. If the service address is not defined in Consul catalog, node address is used instead.\n\nIf there is a missing feature or a bug please follow this [link](https://github.com/CheckPointSW/terraform-checkpoint-dynobj-nia/issues/new) to provide your feedback. \n\n## What is consul-terraform-sync?\n\nThe **consul-terraform-sync** runs as a daemon that enables a **publisher-subscriber** paradigm between **Consul** and **Check Point Firewalls** based devices to support **Network Infrastructure Automation (NIA)**. \n\n\u003cp align=\"left\"\u003e  \n\u003cimg width=\"800\" src=\"https://raw.githubusercontent.com/CheckPointSW/terraform-checkpoint-dynobj-nia/main/images/CheckPoint-Consul-Integration.png\"\u003e \u003c/a\u003e\n\u003c/p\u003e\n\n* consul-terraform-sync **subscribes to updates from the Consul catalog** and executes one or more automation **\"tasks\"** with the appropriate value of *service variables* based on those updates. **consul-terraform-sync** leverages [Terraform](https://www.terraform.io/) as the underlying automation tool and utilizes the Terraform provider ecosystem to drive relevant change to the network infrastructure. \n\n* Each task consists of a runbook automation written as a compatible **Terraform module** using resources and data sources for the underlying network infrastructure provider.\n\nPlease refer to this [link](https://www.consul.io/docs/nia/installation/install) for getting started with **consul-terraform-sync**\n\n## Requirements\n\n| Name | Version |\n|------|---------|\n| terraform | \u003e= 0.13 |\n| consul-terraform-sync | \u003e= 0.1.0-techpreview2 |\n| consul | \u003e= 1.7 |\n\n## Providers\n\n| Name | Version |\n|------|---------|\n| checkpoint | \u003e= 1.0.5 |\n\n## Compatibility\nThis module is meant for use with **consul-terraform-sync \u003e= 0.1.0** and **Terraform \u003e= 0.13** and **Check Point \u003e= R80.x**\n\n## Usage\nIn order to use this module, you will need to install **consul-terraform-sync**, create a **\"task\"** with this Terraform module as a source within the task, and run **consul-terraform-sync**.\n\nThe users can subscribe to the services in the consul catalog and define the Terraform module which will be executed when there are any updates to the subscribed services using a **\"task\"**.\n\n**~\u003e Note:** It is recommended to have the [consul-terraform-sync config guide](https://www.consul.io/docs/nia/installation/configuration) for reference.  \n1. Download the **consul-terraform-sync** on a node which is highly available (preferably, a node running a consul client)\n2. Add **consul-terraform-sync** to the PATH on that node\n3. Check the installation\n  ```\n  $ consul-terraform-sync --version\n  0.1.0\n  Compatible with Terraform ~\u003e0.13.0\n  ```\n4. Create a config file **\"tasks.hcl\"** for consul-terraform-sync. Please note that this just an example. \n\n```\nterraform\nlog_level = \"info\"\n\nconsul {\n    address = \"192.168.0.1:8500\"\n}\n\nbuffer_period {\n    min = \"5s\"\n    max = \"20s\"\n}\n\ndriver \"terraform\" {\n  log = true\n  required_providers {\n    checkpoint = {\n      source = \"CheckPointSW/checkpoint\"\n    }\n  }\n}\n\nterraform_provider \"checkpoint\" {\n  server = \"192.168.0.5\"\n  username = \"consul_user\"\n  password = \"test123\"\n  context = \"web_api\"\n  timeout = 60\n}\n\n\u003c!-- task {\n    name = \"sample\"\n    description = \"This task dynamically updates service addresses\"\n    source = \"../../\"\n    providers = [\"checkpoint\"]\n    services = [\"web_services\", \"api_services\", \"db_services\"]\n} --\u003e\n\ntask {\n  name = \u003cname of the task (has to be unique)\u003e # eg. \"Create_DynamicObjects_on_CheckPointFW\"\n  description = \u003cdescription of the task\u003e # eg. \"Check Point Dynamic Objects based on service definition\"\n  source = \"sample_dir/checkpoint\"\n  providers = [\"checkpoint\"]\n  services = [\"\u003clist of consul services you want to subscribe to\u003e\"] # eg. [\"web\", \"api\"]\n  variable_files = [\"\u003clist of files that have user variables for this module (please input full path)\u003e\"] # eg. [\"/sample_dir/checkpoint/sample.tfvars\"]\n}\n```\n\n 5. Start consul-terraform-sync\n```\n$ consul-terraform-sync -config-file=sample.hcl\n```\n**consul-terraform-sync** will create Dynamic Objects on Check Point devices based on the values in consul catalog.\n\n**consul-terraform-sync is now subscribed to the Consul catalog. Any updates to the services identified in the task will result in updating the address and Dynamic Objects on the Check Point devices** \n\n\n## Installation Steps\n\n### 1. Create API user for Consul and Enable API access\n\n1. From Check Point SmartConsole, navigate to Manage \u0026 Settings \u003e Blades \u003e Management API \u003e Advanced Settings. \n\n\u003cp align=\"left\"\u003e\n\u003cimg width=\"360\" src=\"https://raw.githubusercontent.com/CheckPointSW/terraform-checkpoint-dynobj-nia/main/images/MgmtAPI-Settings.png\"\u003e \u003c/a\u003e\n\u003c/p\u003e\n\n  Note: For production deployments, make sure the **consul-terraform-sync** server is configured as a GUI client. For information on GUI Clients, please refer [here.](https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_Gaia_AdminGuide/Content/Topics-GAG/GUI-Clients.htm)\n\n2. From Check Point SmartConsole, navigate to Manage \u0026 Settings \u003e Permissions \u0026 Administrators \u003e Trusted Clients \u003e Right Click \u003e New. \n\n\u003cp align=\"left\"\u003e\n\u003cimg width=\"360\" src=\"https://raw.githubusercontent.com/CheckPointSW/terraform-checkpoint-dynobj-nia/main/images/TrustedClient.png\"\u003e \u003c/a\u003e\n\u003c/p\u003e\n\n3. Create API user, From Check Point SmartConsole \u003e navigate to Manage \u0026 Settings \u003e Permissions \u0026 Administrators \u003e New User \u003e Set username \u003e Set password \u003e Set Permission Profile - Read Write All \n\n  Note: For granular control of user profiles, please refer [here.](https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_SecurityManagement_AdminGuide/Content/Topics-SECMG/Assigning-Permission-Profiles-to-Administrators.htm?TocPath=Managing%20User%20and%20Administrator%20Accounts%7CManaging%20Administrator%20Accounts%7C_____7)\n\n\u003cp align=\"left\"\u003e\n\u003cimg width=\"360\" src=\"https://raw.githubusercontent.com/CheckPointSW/terraform-checkpoint-dynobj-nia/main/images/NewUser.png\"\u003e \u003c/a\u003e\n\u003c/p\u003e\n\n4. Install Database, From Check Point SmartConsole \u003e drop-down menu from top left \u003e Install Database\n\n\n### 2. Setup Check Point Security Management Server (SMS)\n\n1. Transfer the following files to SMS consul directory (/usr/local/consul)\n\nFiles: consul-mgmt.sh and consul-gw.sh\n\nCreate the consul directory on SMS\n```\nmkdir -p /usr/local/consul/log /usr/local/consul/tmp\n```\n\nUpdate consul-mgmt.sh with credentials from previous step\n```\n#!/bin/bash\n# v1 - HashiCorp Consul Integration\n# This script is for Check Point Mgmt Station\n\n# Check Point Mgmt Station credentials\nvUSERNAME=\"consul_user\"\nvPASSWORD=\"test123\"\n```\n\n2. Run the consul-mgmt.sh to generate all the required files and setup cron\n\n```\nchmod 755 consul-mgmt.sh consul-gw.sh\nsh consul-mgmt.sh\nclish -s -c \"add user consul_user uid 0 homedir /home/consul_user\"\n{ crontab -l -u consul_user; echo '*/2 * * * * /usr/local/consul/consul-mgmt.sh'; } | crontab -u consul_user -\ncrontab -u consul_user -l\n```\n\n3. Modify the **gateways** file to include all participating gateways\n\nExample\n```\n192.168.0.1\n192.168.0.2\n```\n\n  Note: consul-mgmt.sh will initialize each gateway with all required files\n\nInitialized gateway example\n```\n192.168.0.1,init\n192.168.0.2,init\n```\n\n4. Configure and install security policy with Consul services\n\n\u003cp align=\"left\"\u003e\n\u003cimg width=\"800\" src=\"https://raw.githubusercontent.com/CheckPointSW/terraform-checkpoint-dynobj-nia/main/images/ConsulRules.png\"\u003e \u003c/a\u003e\n\u003c/p\u003e\n\n\n### 3. Configure consul-terraform-sync\n\n1. Donwload and transfer the following files to the server where you will be running consul-terraform-sync. Please refer to this [link](https://releases.hashicorp.com/consul-terraform-sync/) to download latest version of consul-terraform-sync. \n  \nFiles: consul-terraform-sync (binary), main.tf, variables.tf, publish.sh, publish_linux or publish_osx\n\n2. Modify sample.hcl \n\n**Consul Server**\n```\nconsul {\n    address = \"192.168.0.1:8500\"\n}\n```\n\n**Tasks** - Update Consul services you want to monitor\n```\ntask {\n    name = \"sample\"\n    description = \"This task dynamically updates service addresses\"\n    source = \u003cModule Path\u003e\n    providers = [\"checkpoint\"]\n    services = [\"web_services\", \"api_services\", \"db_services\"]\n}\n```\n\n  Note: If you did not specify a -config-dir then you can use **source = \"../../\"**\n\n**Provider** - Use Check Point credentials from previous steps\n```\nterraform_provider \"checkpoint\" {\n  server = \"192.168.0.5\"\n  username = \"consul_user\"\n  password = \"test123\"\n  context = \"web_api\"\n  timeout = 60\n}\n```\n\n  Note: You can also use **api-key** by replacing username/password\n\n3. Update publish.sh\n\nUse Check Point credentials from previous steps\n\n```\n#!/bin/bash\nexport CHECKPOINT_SERVER=\"192.168.0.5\"\nexport CHECKPOINT_USERNAME=\"consul_user\"  \nexport CHECKPOINT_PASSWORD=\"test123\"\nexport CHECKPOINT_CONTEXT=\"web_api\"\nexport CHECKPOINT_TIMEOUT=60\nsleep 2\nif [[ \"$OSTYPE\" == \"linux-gnu\"* ]]; then\npublish_linux\nelif [[ \"$OSTYPE\" == \"darwin\"* ]]; then\npublish_osx\nfi\n```\n\n  Note: The **Publish** binary is for Linux 64bit and OSX. For all other platforms, please follow [this link](https://registry.terraform.io/providers/CheckPointSW/checkpoint/latest/docs#publish) to complile the required platform. \n\n4. Start the consul-terraform-sync\n\n```\nchmod 755 consul-terraform-sync\n./consul-terraform-sync --config-file sample.hcl\n```\n\n\n### 4. Helpful commands\n\n1. Verify Consul services by running dynamic_objects command from each security gateway\n\ncommand: dynamic_objects -l\n```\n[Expert@r8040gw:0]# dynamic_objects -l\nobject name : consul-api\nrange 0 : 172.31.13.27           172.31.13.27\nrange 1 : 172.31.29.206          172.31.29.206\nrange 2 : 172.31.94.1            172.31.94.1\n\nobject name : consul-redis\nrange 0 : 10.23.239.10           10.23.239.12\n\nobject name : consul-ssh\nrange 0 : 172.31.94.1            172.31.94.1\n\nobject name : consul-web\nrange 0 : 172.31.43.78           172.31.43.78\nrange 1 : 172.31.51.85           172.31.51.85\nrange 2 : 192.168.128.17         192.168.128.17\n```\n\n2. Log directory on SMS and Security Gateway\n\n- /usr/local/consul/logs\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcheckpointsw%2Fterraform-checkpoint-dynobj-nia","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcheckpointsw%2Fterraform-checkpoint-dynobj-nia","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcheckpointsw%2Fterraform-checkpoint-dynobj-nia/lists"}