From 15099ea1a59c14f05e6883e4e8742407562bc1d5 Mon Sep 17 00:00:00 2001
From: chkp-adambar <136433110+chkp-adambar@users.noreply.github.com>
Date: Sun, 29 Sep 2024 13:29:56 +0300
Subject: [PATCH] Add R82 resources
checkpoint_management_vsx_provisioning_tool
checkpoint_management_outbound_inspection_certificate
checkpoint_management_add_custom_trusted_ca_certificate
checkpoint_management_delete_custom_trusted_ca_certificate
checkpoint_management_run_trusted_ca_update
checkpoint_management_set_gateway_global_use
checkpoint_management_set_https_advanced_settings
checkpoint_management_custom_trusted_ca_certificate
checkpoint_management_outbound_inspection_certificate
checkpoint_management_gateway_global_use
checkpoint_management_https_advanced_settings
checkpoint_management_gateway_capabilities
---
CHANGELOG.md | 12 +
...anagement_custom_trusted_ca_certificate.go | 196 +++
...ckpoint_management_gateway_capabilities.go | 517 ++++++
...heckpoint_management_gateway_global_use.go | 108 ++
...oint_management_https_advanced_settings.go | 236 +++
...agement_outbound_inspection_certificate.go | 166 ++
checkpoint/provider.go | 12 +
...mmand_add_custom_trusted_ca_certificate.go | 190 ++
...nd_delete_custom_trusted_ca_certificate.go | 83 +
...anagement_command_run_trusted_ca_update.go | 58 +
...nagement_command_set_gateway_global_use.go | 70 +
...ent_command_set_https_advanced_settings.go | 283 +++
...anagement_command_vsx_provisioning_tool.go | 1534 +++++++++++++++++
...agement_outbound_inspection_certificate.go | 343 ++++
...nt_outbound_inspection_certificate_test.go | 108 ++
checkpoint/utils.go | 23 +
website/checkpoint.erb | 36 +
...ustom_trusted_ca_certificate.html.markdown | 53 +
...agement_gateway_capabilities.html.markdown | 103 ++
...anagement_gateway_global_use.html.markdown | 46 +
...ment_https_advanced_settings.html.markdown | 92 +
...bound_inspection_certificate.html.markdown | 44 +
...ustom_trusted_ca_certificate.html.markdown | 47 +
...ustom_trusted_ca_certificate.html.markdown | 35 +
...bound_inspection_certificate.html.markdown | 43 +
...gement_run_trusted_ca_update.html.markdown | 30 +
...ement_set_gateway_global_use.html.markdown | 34 +
..._set_https_advanced_settings.html.markdown | 88 +
...gement_vsx_provisioning_tool.html.markdown | 276 +++
29 files changed, 4866 insertions(+)
create mode 100644 checkpoint/data_source_checkpoint_management_custom_trusted_ca_certificate.go
create mode 100644 checkpoint/data_source_checkpoint_management_gateway_capabilities.go
create mode 100644 checkpoint/data_source_checkpoint_management_gateway_global_use.go
create mode 100644 checkpoint/data_source_checkpoint_management_https_advanced_settings.go
create mode 100644 checkpoint/data_source_checkpoint_management_outbound_inspection_certificate.go
create mode 100644 checkpoint/resource_checkpoint_management_command_add_custom_trusted_ca_certificate.go
create mode 100644 checkpoint/resource_checkpoint_management_command_delete_custom_trusted_ca_certificate.go
create mode 100644 checkpoint/resource_checkpoint_management_command_run_trusted_ca_update.go
create mode 100644 checkpoint/resource_checkpoint_management_command_set_gateway_global_use.go
create mode 100644 checkpoint/resource_checkpoint_management_command_set_https_advanced_settings.go
create mode 100644 checkpoint/resource_checkpoint_management_command_vsx_provisioning_tool.go
create mode 100644 checkpoint/resource_checkpoint_management_outbound_inspection_certificate.go
create mode 100644 checkpoint/resource_checkpoint_management_outbound_inspection_certificate_test.go
create mode 100644 website/docs/d/checkpoint_management_custom_trusted_ca_certificate.html.markdown
create mode 100644 website/docs/d/checkpoint_management_gateway_capabilities.html.markdown
create mode 100644 website/docs/d/checkpoint_management_gateway_global_use.html.markdown
create mode 100644 website/docs/d/checkpoint_management_https_advanced_settings.html.markdown
create mode 100644 website/docs/d/checkpoint_management_outbound_inspection_certificate.html.markdown
create mode 100644 website/docs/r/checkpoint_management_add_custom_trusted_ca_certificate.html.markdown
create mode 100644 website/docs/r/checkpoint_management_delete_custom_trusted_ca_certificate.html.markdown
create mode 100644 website/docs/r/checkpoint_management_outbound_inspection_certificate.html.markdown
create mode 100644 website/docs/r/checkpoint_management_run_trusted_ca_update.html.markdown
create mode 100644 website/docs/r/checkpoint_management_set_gateway_global_use.html.markdown
create mode 100644 website/docs/r/checkpoint_management_set_https_advanced_settings.html.markdown
create mode 100644 website/docs/r/checkpoint_management_vsx_provisioning_tool.html.markdown
diff --git a/CHANGELOG.md b/CHANGELOG.md
index b43d2973..08e38e64 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,13 @@
## 2.8.0
FEATURES
+* **New Resource:** `checkpoint_management_vsx_provisioning_tool`
+* **New Resource:** `checkpoint_management_outbound_inspection_certificate`
+* **New Resource:** `checkpoint_management_add_custom_trusted_ca_certificate`
+* **New Resource:** `checkpoint_management_delete_custom_trusted_ca_certificate`
+* **New Resource:** `checkpoint_management_run_trusted_ca_update`
+* **New Resource:** `checkpoint_management_set_gateway_global_use`
+* **New Resource:** `checkpoint_management_set_https_advanced_settings`
* **New Resource:** `checkpoint_management_delete_infinity_idp_object`
* **New Resource:** `checkpoint_management_delete_infinity_idp`
* **New Resource:** `checkpoint_management_mobile_access_section`
@@ -32,6 +39,11 @@ FEATURES
* **New Resource:** `checkpoint_management_data_type_group`
* **New Resource:** `checkpoint_management_data_type_traditional_group`
* **New Resource:** `checkpoint_management_data_type_compound_group`
+* **New Data Source:** `checkpoint_management_custom_trusted_ca_certificate`
+* **New Data Source:** `checkpoint_management_outbound_inspection_certificate`
+* **New Data Source:** `checkpoint_management_gateway_global_use`
+* **New Data Source:** `checkpoint_management_https_advanced_settings`
+* **New Data Source:** `checkpoint_management_gateway_capabilities`
* **New Data Source:** `checkpoint_management_infinity_idp_object`
* **New Data Source:** `checkpoint_management_infinity_idp`
* **New Data Source:** `checkpoint_management_mobile_access_section`
diff --git a/checkpoint/data_source_checkpoint_management_custom_trusted_ca_certificate.go b/checkpoint/data_source_checkpoint_management_custom_trusted_ca_certificate.go
new file mode 100644
index 00000000..c199705e
--- /dev/null
+++ b/checkpoint/data_source_checkpoint_management_custom_trusted_ca_certificate.go
@@ -0,0 +1,196 @@
+package checkpoint
+
+import (
+ "fmt"
+ checkpoint "github.com/CheckPointSW/cp-mgmt-api-go-sdk/APIFiles"
+ "github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+ "log"
+)
+
+func dataSourceManagementCustomTrustedCaCertificate() *schema.Resource {
+ return &schema.Resource{
+
+ Read: dataSourceManagementCustomTrustedCaCertificateRead,
+
+ Schema: map[string]*schema.Schema{
+ "uid": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Certificate Object uid.",
+ },
+ "name": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Certificate Object name.",
+ },
+ "added_by": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "By whom the certificate was added.",
+ },
+ "base64_certificate": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Certificate file encoded in base64.",
+ },
+ "issued_by": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Trusted CA certificate issued by.",
+ },
+ "issued_to": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Trusted CA certificate issued to.",
+ },
+ "tags": {
+ Type: schema.TypeSet,
+ Computed: true,
+ Description: "Collection of tag identifiers.",
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ "valid_from": {
+ Type: schema.TypeList,
+ Computed: true,
+ Description: "Trusted CA certificate valid from date.",
+ MaxItems: 1,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "iso_8601": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Date and time represented in international ISO 8601 format",
+ },
+ "posix": {
+ Type: schema.TypeInt,
+ Computed: true,
+ Description: "Number of milliseconds that have elapsed since 00:00:00, 1 January 1970.\nTrusted CA certificate valid from date.",
+ },
+ },
+ },
+ },
+ "valid_to": {
+ Type: schema.TypeList,
+ Computed: true,
+ Description: "Trusted CA certificate valid to date.",
+ MaxItems: 1,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "iso_8601": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Date and time represented in international ISO 8601 format",
+ },
+ "posix": {
+ Type: schema.TypeInt,
+ Computed: true,
+ Description: "Number of milliseconds that have elapsed since 00:00:00, 1 January 1970.\nTrusted CA certificate valid from date.",
+ },
+ },
+ },
+ },
+ },
+ }
+}
+
+func dataSourceManagementCustomTrustedCaCertificateRead(d *schema.ResourceData, m interface{}) error {
+
+ client := m.(*checkpoint.ApiClient)
+
+ payload := make(map[string]interface{})
+
+ name := d.Get("name").(string)
+ uid := d.Get("uid").(string)
+
+ if name != "" {
+ payload["name"] = name
+ } else if uid != "" {
+ payload["uid"] = uid
+ }
+
+ CustomTrustedCaCertificateObjRes, err := client.ApiCall("show-custom-trusted-ca-certificate", payload, client.GetSessionID(), true, client.IsProxyUsed())
+
+ if err != nil {
+ return fmt.Errorf(err.Error())
+ }
+ if !CustomTrustedCaCertificateObjRes.Success {
+ // Handle delete resource from other clients
+ if objectNotFound(CustomTrustedCaCertificateObjRes.GetData()["code"].(string)) {
+ d.SetId("")
+ return nil
+ }
+ return fmt.Errorf(CustomTrustedCaCertificateObjRes.ErrorMsg)
+ }
+
+ customTrustedCaCertificateObj := CustomTrustedCaCertificateObjRes.GetData()
+
+ log.Println("Read CP Trusted CA Certificate Object - Show JSON = ", customTrustedCaCertificateObj)
+
+ if v := customTrustedCaCertificateObj["uid"]; v != nil {
+ _ = d.Set("uid", v)
+ d.SetId(v.(string))
+ }
+
+ if v := customTrustedCaCertificateObj["name"]; v != nil {
+ _ = d.Set("name", v)
+ }
+ if v := customTrustedCaCertificateObj["added-by"]; v != nil {
+ _ = d.Set("added_by", v)
+ }
+ if v := customTrustedCaCertificateObj["base64-certificate"]; v != nil {
+ _ = d.Set("base64_certificate", cleanseCertificate(v.(string)))
+ }
+ if v := customTrustedCaCertificateObj["issued-by"]; v != nil {
+ _ = d.Set("issued_by", v)
+ }
+ if v := customTrustedCaCertificateObj["issued-to"]; v != nil {
+ _ = d.Set("issued_to", v)
+ }
+ if customTrustedCaCertificateObj["tags"] != nil {
+ tagsJson, ok := customTrustedCaCertificateObj["tags"].([]interface{})
+ if ok {
+ tagsIds := make([]string, 0)
+ if len(tagsJson) > 0 {
+ for _, tags := range tagsJson {
+ tags := tags.(map[string]interface{})
+ tagsIds = append(tagsIds, tags["name"].(string))
+ }
+ }
+ _ = d.Set("tags", tagsIds)
+ }
+ } else {
+ _ = d.Set("tags", nil)
+ }
+
+ if v := customTrustedCaCertificateObj["valid-from"]; v != nil {
+
+ localMap := v.(map[string]interface{})
+
+ validFrom := make(map[string]interface{})
+
+ if v := localMap["iso-8601"]; v != nil {
+ validFrom["iso_8601"] = v
+ }
+ if v := localMap["posix"]; v != nil {
+ validFrom["posix"] = v
+ }
+ _ = d.Set("valid_from", []interface{}{validFrom})
+ }
+ if v := customTrustedCaCertificateObj["valid-to"]; v != nil {
+
+ localMap := v.(map[string]interface{})
+
+ validTo := make(map[string]interface{})
+
+ if v := localMap["iso-8601"]; v != nil {
+ validTo["iso_8601"] = v
+ }
+ if v := localMap["posix"]; v != nil {
+ validTo["posix"] = v
+ }
+ _ = d.Set("valid_to", []interface{}{validTo})
+ }
+ return nil
+}
diff --git a/checkpoint/data_source_checkpoint_management_gateway_capabilities.go b/checkpoint/data_source_checkpoint_management_gateway_capabilities.go
new file mode 100644
index 00000000..12905efa
--- /dev/null
+++ b/checkpoint/data_source_checkpoint_management_gateway_capabilities.go
@@ -0,0 +1,517 @@
+package checkpoint
+
+import (
+ "fmt"
+ checkpoint "github.com/CheckPointSW/cp-mgmt-api-go-sdk/APIFiles"
+ "github.com/hashicorp/terraform-plugin-sdk/helper/acctest"
+ "github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+ "log"
+)
+
+func dataSourceManagementSetGatewayCapabilities() *schema.Resource {
+ return &schema.Resource{
+
+ Read: dataSourceManagementSetGatewayCapabilitiesRead,
+
+ Schema: map[string]*schema.Schema{
+ "hardware": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Check Point hardware.",
+ },
+ "platform": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Check Point gateway platform.",
+ },
+ "version": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Gateway platform version.",
+ },
+ "restrictions": {
+ Type: schema.TypeMap,
+ Computed: true,
+ Description: "Set of restrictions.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "hardware": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "The name of the regulation.",
+ },
+ "platform": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Check Point gateway platform.",
+ },
+ "version": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Gateway platform version.",
+ },
+ },
+ },
+ },
+ "supported_platforms": {
+ Type: schema.TypeList,
+ Computed: true,
+ Description: "Set of restrictions.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "default": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "The name of the regulation.",
+ },
+ "platforms": {
+ Type: schema.TypeSet,
+ Computed: true,
+ Description: "List of Check Point gateway platforms.",
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ },
+ },
+ },
+ "supported_blades": {
+ Type: schema.TypeList,
+ Computed: true,
+ Description: "Set of restrictions.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "management": {
+ Type: schema.TypeList,
+ Computed: true,
+ Description: "Management blades.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "default": {
+ Type: schema.TypeBool,
+ Optional: true,
+ Description: "N/A",
+ },
+ "name": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "N/A",
+ },
+ "readonly": {
+ Type: schema.TypeBool,
+ Optional: true,
+ Description: "N/A",
+ },
+ },
+ },
+ },
+ "network_security": {
+ Type: schema.TypeList,
+ Computed: true,
+ Description: "Network Security blades.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "default": {
+ Type: schema.TypeBool,
+ Optional: true,
+ Description: "N/A",
+ },
+ "name": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "N/A",
+ },
+ "readonly": {
+ Type: schema.TypeBool,
+ Optional: true,
+ Description: "N/A",
+ },
+ },
+ },
+ },
+ "threat_prevention": {
+ Type: schema.TypeList,
+ Computed: true,
+ MaxItems: 1,
+ Description: "Threat Prevention blades.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "autonomous": {
+ Type: schema.TypeList,
+ Computed: true,
+ Description: "N/A",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "default": {
+ Type: schema.TypeBool,
+ Optional: true,
+ Description: "N/A",
+ },
+ "name": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "N/A",
+ },
+ "readonly": {
+ Type: schema.TypeBool,
+ Optional: true,
+ Description: "N/A",
+ },
+ },
+ },
+ },
+ "custom": {
+ Type: schema.TypeList,
+ Computed: true,
+ Description: "N/A",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "default": {
+ Type: schema.TypeBool,
+ Optional: true,
+ Description: "N/A",
+ },
+ "name": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "N/A",
+ },
+ "readonly": {
+ Type: schema.TypeBool,
+ Optional: true,
+ Description: "N/A",
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ "supported_firmware_platforms": {
+ Type: schema.TypeList,
+ Computed: true,
+ MaxItems: 1,
+ Description: "Supported firmware platforms according to restrictions.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "default": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Default gateway firmware platform.",
+ },
+ "firmware_platforms": {
+ Type: schema.TypeSet,
+ Computed: true,
+ Description: "List of gateway firmware platforms.",
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ },
+ },
+ },
+ "supported_hardware": {
+ Type: schema.TypeList,
+ Computed: true,
+ MaxItems: 1,
+ Description: "Supported firmware platforms according to restrictions.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "default": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Default gateway firmware platform.",
+ },
+ "hardware": {
+ Type: schema.TypeSet,
+ Computed: true,
+ Description: "List of gateway firmware platforms.",
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ },
+ },
+ },
+ "supported_versions": {
+ Type: schema.TypeList,
+ Computed: true,
+ MaxItems: 1,
+ Description: "Supported firmware platforms according to restrictions.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "default": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Default gateway firmware platform.",
+ },
+ "versions": {
+ Type: schema.TypeSet,
+ Computed: true,
+ Description: "List of gateway firmware platforms.",
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ },
+ },
+ },
+ },
+ }
+}
+
+func dataSourceManagementSetGatewayCapabilitiesRead(d *schema.ResourceData, m interface{}) error {
+
+ client := m.(*checkpoint.ApiClient)
+
+ payload := map[string]interface{}{}
+
+ if v, ok := d.GetOk("hardware"); ok {
+ payload["hardware"] = v
+ }
+ if v, ok := d.GetOk("platform"); ok {
+ payload["platform"] = v
+ }
+ if v, ok := d.GetOk("version"); ok {
+ payload["version"] = v
+ }
+
+ showGatewayCapabilitiesRes, err := client.ApiCall("show-gateway-capabilities", payload, client.GetSessionID(), true, client.IsProxyUsed())
+ if err != nil {
+ return fmt.Errorf(err.Error())
+ }
+ if !showGatewayCapabilitiesRes.Success {
+ return fmt.Errorf(showGatewayCapabilitiesRes.ErrorMsg)
+ }
+
+ gatewayCapabilities := showGatewayCapabilitiesRes.GetData()
+
+ log.Println("Read Gateway Capabilities - Show JSON = ", gatewayCapabilities)
+
+ d.SetId("show-global-capabilities-" + acctest.RandString(10))
+
+ if v := gatewayCapabilities["restrictions"]; v != nil {
+
+ objMap := v.(map[string]interface{})
+
+ restrictionsMapToAdd := make(map[string]interface{})
+
+ if v := objMap["hardware"]; v != nil {
+ restrictionsMapToAdd["hardware"] = v
+ }
+ if v := objMap["platform"]; v != nil {
+ restrictionsMapToAdd["platform"] = v
+ }
+ if v := objMap["version"]; v != nil {
+ restrictionsMapToAdd["version"] = v
+ }
+ _ = d.Set("restrictions", restrictionsMapToAdd)
+ }
+
+ if v := gatewayCapabilities["supported-platforms"]; v != nil {
+
+ objMap := v.(map[string]interface{})
+
+ mapToReturn := make(map[string]interface{})
+
+ if v := objMap["default"]; v != nil {
+ mapToReturn["default"] = v
+ }
+ if v := objMap["platforms"]; v != nil {
+
+ mapToReturn["platforms"] = v
+ }
+
+ _ = d.Set("supported_platforms", []interface{}{mapToReturn})
+ }
+
+ if v := gatewayCapabilities["supported-blades"]; v != nil {
+
+ innerMap := v.(map[string]interface{})
+
+ supportedBladesMap := make(map[string]interface{})
+
+ if v := innerMap["management"]; v != nil {
+
+ managementList := v.([]interface{})
+
+ if len(managementList) > 0 {
+
+ var managementObjectsPayload []map[string]interface{}
+
+ for i := range managementList {
+
+ objMap := managementList[i].(map[string]interface{})
+
+ mapToReturn := make(map[string]interface{})
+
+ if v := objMap["default"]; v != nil {
+ mapToReturn["default"] = v
+ }
+ if v := objMap["name"]; v != nil {
+ mapToReturn["name"] = v
+ }
+ if v := objMap["readonly"]; v != nil {
+ mapToReturn["readonly"] = v
+ }
+ managementObjectsPayload = append(managementObjectsPayload, mapToReturn)
+ }
+ supportedBladesMap["management"] = managementObjectsPayload
+ }
+ }
+
+ if v := innerMap["network-security"]; v != nil {
+
+ networkSecurityList := v.([]interface{})
+
+ if len(networkSecurityList) > 0 {
+
+ var networkSecurityObjectsPayload []map[string]interface{}
+
+ for i := range networkSecurityList {
+
+ objMap := networkSecurityList[i].(map[string]interface{})
+
+ mapToReturn := make(map[string]interface{})
+
+ if v := objMap["default"]; v != nil {
+ mapToReturn["default"] = v
+ }
+ if v := objMap["name"]; v != nil {
+ mapToReturn["name"] = v
+ }
+ if v := objMap["readonly"]; v != nil {
+ mapToReturn["readonly"] = v
+ }
+ networkSecurityObjectsPayload = append(networkSecurityObjectsPayload, mapToReturn)
+ }
+ supportedBladesMap["network_security"] = networkSecurityObjectsPayload
+ }
+ }
+
+ if v := innerMap["threat-prevention"]; v != nil {
+
+ threatPreventionMapToReturn := make(map[string]interface{})
+
+ threatPreventionMap := v.(map[string]interface{})
+
+ if v := threatPreventionMap["autonomous"]; v != nil {
+
+ autonomousList := v.([]interface{})
+
+ if len(autonomousList) > 0 {
+
+ var autonomousObjectsPayload []map[string]interface{}
+
+ for i := range autonomousList {
+
+ objMap := autonomousList[i].(map[string]interface{})
+
+ mapToReturn := make(map[string]interface{})
+
+ if v := objMap["default"]; v != nil {
+ mapToReturn["default"] = v
+ }
+ if v := objMap["name"]; v != nil {
+ mapToReturn["name"] = v
+ }
+ if v := objMap["readonly"]; v != nil {
+ mapToReturn["readonly"] = v
+ }
+ autonomousObjectsPayload = append(autonomousObjectsPayload, mapToReturn)
+ }
+ threatPreventionMapToReturn["autonomous"] = autonomousObjectsPayload
+ }
+
+ }
+
+ if v := threatPreventionMap["custom"]; v != nil {
+
+ customList := v.([]interface{})
+
+ if len(customList) > 0 {
+
+ var customObjectsPayload []map[string]interface{}
+
+ for i := range customList {
+
+ objMap := customList[i].(map[string]interface{})
+
+ mapToReturn := make(map[string]interface{})
+
+ if v := objMap["default"]; v != nil {
+ mapToReturn["default"] = v
+ }
+ if v := objMap["name"]; v != nil {
+ mapToReturn["name"] = v
+ }
+ if v := objMap["readonly"]; v != nil {
+ mapToReturn["readonly"] = v
+ }
+ customObjectsPayload = append(customObjectsPayload, mapToReturn)
+ }
+ threatPreventionMapToReturn["custom"] = customObjectsPayload
+ }
+
+ }
+
+ supportedBladesMap["threat_prevention"] = []interface{}{threatPreventionMapToReturn}
+
+ }
+
+ _ = d.Set("supported_blades", []interface{}{supportedBladesMap})
+ }
+
+ if v := gatewayCapabilities["supported-firmware-platforms"]; v != nil {
+
+ objMap := v.(map[string]interface{})
+
+ mapToReturn := make(map[string]interface{})
+
+ if v := objMap["default"]; v != nil {
+ mapToReturn["default"] = v
+ }
+ if v := objMap["firmwarePlatforms"]; v != nil {
+ mapToReturn["firmware_platforms"] = v
+ }
+
+ _ = d.Set("supported_firmware_platforms", []interface{}{mapToReturn})
+ }
+
+ if v := gatewayCapabilities["supported-hardware"]; v != nil {
+
+ objMap := v.(map[string]interface{})
+
+ mapToReturn := make(map[string]interface{})
+
+ if v := objMap["default"]; v != nil {
+ mapToReturn["default"] = v
+ }
+ if v := objMap["hardware"]; v != nil {
+ mapToReturn["hardware"] = v
+ }
+
+ _ = d.Set("supported_hardware", []interface{}{mapToReturn})
+ }
+
+ if v := gatewayCapabilities["supported-versions"]; v != nil {
+
+ objMap := v.(map[string]interface{})
+
+ mapToReturn := make(map[string]interface{})
+
+ if v := objMap["default"]; v != nil {
+ mapToReturn["default"] = v
+ }
+ if v := objMap["versions"]; v != nil {
+ mapToReturn["versions"] = v
+ }
+
+ _ = d.Set("supported_versions", []interface{}{mapToReturn})
+ }
+
+ return nil
+}
diff --git a/checkpoint/data_source_checkpoint_management_gateway_global_use.go b/checkpoint/data_source_checkpoint_management_gateway_global_use.go
new file mode 100644
index 00000000..c911ffcd
--- /dev/null
+++ b/checkpoint/data_source_checkpoint_management_gateway_global_use.go
@@ -0,0 +1,108 @@
+package checkpoint
+
+import (
+ "fmt"
+ checkpoint "github.com/CheckPointSW/cp-mgmt-api-go-sdk/APIFiles"
+ "github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+)
+
+func dataSourceManagementSetGatewayGlobalUse() *schema.Resource {
+ return &schema.Resource{
+
+ Read: dataSourceManagementSetGatewayGlobalUseRead,
+
+ Schema: map[string]*schema.Schema{
+ "target": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: "On what target to execute this command. Target may be identified by its object name, or object unique identifier.",
+ },
+ "uid": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Object unique identifier.",
+ },
+ "name": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Target name.",
+ },
+ "enabled": {
+ Type: schema.TypeBool,
+ Computed: true,
+ Description: "Indicates whether global use is enabled on the target.",
+ },
+ "domain": {
+ Type: schema.TypeMap,
+ Computed: true,
+ Description: "Information about the domain that holds the Object.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "name": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Object name. Must be unique in the domain.",
+ },
+ "uid": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Object unique identifier.",
+ },
+ "domain_type": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Domain type.",
+ },
+ },
+ },
+ },
+ },
+ }
+}
+
+func dataSourceManagementSetGatewayGlobalUseRead(d *schema.ResourceData, m interface{}) error {
+
+ client := m.(*checkpoint.ApiClient)
+
+ var payload = map[string]interface{}{}
+
+ if v, ok := d.GetOk("target"); ok {
+ payload["target"] = v.(string)
+ }
+
+ ShowGatewayGlobalUseRes, _ := client.ApiCall("show-gateway-global-use", payload, client.GetSessionID(), true, false)
+ if !ShowGatewayGlobalUseRes.Success {
+ return fmt.Errorf(ShowGatewayGlobalUseRes.ErrorMsg)
+ }
+
+ showGatewatGlobalUseData := ShowGatewayGlobalUseRes.GetData()
+
+ _ = d.Set("uid", showGatewatGlobalUseData["uid"])
+ d.SetId(showGatewatGlobalUseData["uid"].(string))
+
+ if v := showGatewatGlobalUseData["name"]; v != nil {
+ d.Set("name", v)
+ }
+ if v := showGatewatGlobalUseData["enabled"]; v != nil {
+ d.Set("enabled", v)
+ }
+ if v := showGatewatGlobalUseData["domain"]; v != nil {
+
+ innerMap := v.(map[string]interface{})
+
+ mapToReturn := make(map[string]interface{})
+
+ if v := innerMap["name"]; v != nil {
+ mapToReturn["name"] = v
+ }
+ if v := innerMap["uid"]; v != nil {
+ mapToReturn["uid"] = v
+ }
+ if v := innerMap["domain-type"]; v != nil {
+ mapToReturn["domain_type"] = v
+ }
+
+ d.Set("domain", mapToReturn)
+ }
+ return nil
+}
diff --git a/checkpoint/data_source_checkpoint_management_https_advanced_settings.go b/checkpoint/data_source_checkpoint_management_https_advanced_settings.go
new file mode 100644
index 00000000..7b8a41ce
--- /dev/null
+++ b/checkpoint/data_source_checkpoint_management_https_advanced_settings.go
@@ -0,0 +1,236 @@
+package checkpoint
+
+import (
+ "fmt"
+ checkpoint "github.com/CheckPointSW/cp-mgmt-api-go-sdk/APIFiles"
+ "github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+ "log"
+)
+
+func dataSourceManagementSetHttpsAdvancedSettings() *schema.Resource {
+ return &schema.Resource{
+ Read: dataSourceManagementSetHttpsAdvancedSettingsRead,
+ Schema: map[string]*schema.Schema{
+ "uid": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Object unique identifier.",
+ },
+ "bypass_on_client_failure": {
+ Type: schema.TypeBool,
+ Computed: true,
+ Description: "Whether all requests should be bypassed or blocked-in case of client errors (Client closes the connection due to authentication issues during handshake)
- true - Fail-open (bypass all requests).
- false - Fail-close (block all requests.
The default value is true.",
+ },
+ "bypass_on_failure": {
+ Type: schema.TypeBool,
+ Computed: true,
+ Description: "Whether all requests should be bypassed or blocked-in case of server errors (for example validation error during GW-Server authentication)
- true - Fail-open (bypass all requests).
- false - Fail-close (block all requests.
The default value is true.",
+ },
+ "bypass_under_load": {
+ Type: schema.TypeMap,
+ Computed: true,
+ Description: "Bypass the HTTPS Inspection temporarily to improve connectivity during a heavy load on the Security Gateway. The HTTPS Inspection would resume as soon as the load decreases.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "track": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Whether to log and send a notification for the bypass under load:- None - Does not record the event.
- Log - Records the event details. Use SmartConsole or SmartView to see the logs.
- Alert - Logs the event and executes a command you configured.
- Mail - Sends an email to the administrator.
- SNMP Trap - Sends an SNMP alert to the configured SNMP Management Server.
- User Defined Alert - Sends a custom alert.
.",
+ },
+ },
+ },
+ },
+ "site_categorization_allow_mode": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Whether all requests should be allowed or blocked until categorization is complete.
- Background - to allow requests until categorization is complete.
- Hold- to block requests until categorization is complete.
The default value is hold.",
+ },
+ "server_certificate_validation_actions": {
+ Type: schema.TypeList,
+ Computed: true,
+ Description: "When a Security Gateway receives an untrusted certificate from a website server, define when to drop the connection and how to track it.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "block_expired": {
+ Type: schema.TypeBool,
+ Computed: true,
+ Description: "Set to be true in order to drop traffic from servers with expired server certificate.",
+ },
+ "block_revoked": {
+ Type: schema.TypeBool,
+ Computed: true,
+ Description: "Set to be true in order to drop traffic from servers with revoked server certificate (validate CRL).",
+ },
+ "block_untrusted": {
+ Type: schema.TypeBool,
+ Computed: true,
+ Description: "Set to be true in order to drop traffic from servers with untrusted server certificate.",
+ },
+ "track_errors": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Whether to log and send a notification for the server validation errors:
- None - Does not record the event.
- Log - Records the event details in SmartView.
- Alert - Logs the event and executes a command.
- Mail - Sends an email to the administrator.
- SNMP Trap - Sends an SNMP alert to the SNMP GU.
- User Defined Alert - Sends customized alerts.
.",
+ },
+ },
+ },
+ },
+ "retrieve_intermediate_ca_certificates": {
+ Type: schema.TypeBool,
+ Computed: true,
+ Description: "Configure the value \"true\" to use the \"Certificate Authority Information Access\" extension to retrieve certificates that are missing from the certificate chain.
The default value is true.",
+ },
+ "blocked_certificates": {
+ Type: schema.TypeList,
+ Computed: true,
+ Description: "Collection of certificates objects identified by serial number.
Drop traffic from servers using the blocked certificate.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "name": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Describes the name, cannot be overridden.",
+ },
+ "cert_serial_number": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Certificate Serial Number (unique) in hexadecimal format HH:HH.",
+ },
+ "comments": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Describes the certificate by default, can be overridden by any text.",
+ },
+ },
+ },
+ },
+ "blocked_certificate_tracking": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Controls whether to log and send a notification for dropped traffic.
- None - Does not record the event.
- Log - Records the event details in SmartView.
- Alert - Logs the event and executes a command.
- Mail - Sends an email to the administrator.
- SNMP Trap - Sends an SNMP alert to the SNMP GU.
- User Defined Alert - Sends customized alerts.
.",
+ },
+ "bypass_update_services": {
+ Type: schema.TypeBool,
+ Computed: true,
+ Description: "Configure the value \"true\" to bypass traffic to well-known software update services.
The default value is true.",
+ },
+ "certificate_pinned_apps_action": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Configure the value \"bypass\" to bypass traffic from certificate-pinned applications approved by Check Point.
HTTPS Inspection cannot inspect connections initiated by certificate-pinned applications.
Configure the value \"detect\" to send logs for traffic from certificate-pinned applications approved by Check Point.
The default value is bypass.",
+ },
+ "log_sessions": {
+ Type: schema.TypeBool,
+ Computed: true,
+ Description: "The value \"true\" configures the Security Gateway to send HTTPS Inspection session logs.
The default value is true.",
+ },
+ },
+ }
+}
+
+func dataSourceManagementSetHttpsAdvancedSettingsRead(d *schema.ResourceData, m interface{}) error {
+ client := m.(*checkpoint.ApiClient)
+
+ payload := make(map[string]interface{})
+
+ showHttpsAdvancedSettingsRes, err := client.ApiCall("show-https-advanced-settings", payload, client.GetSessionID(), true, client.IsProxyUsed())
+ if err != nil {
+ return fmt.Errorf(err.Error())
+ }
+ if !showHttpsAdvancedSettingsRes.Success {
+ return fmt.Errorf(showHttpsAdvancedSettingsRes.ErrorMsg)
+ }
+
+ httpsAdvancedSettings := showHttpsAdvancedSettingsRes.GetData()
+
+ log.Println("Read Https Advanced Settings - Show JSON = ", httpsAdvancedSettings)
+
+ if v := httpsAdvancedSettings["uid"]; v != nil {
+ _ = d.Set("uid", v)
+ d.SetId(v.(string))
+ }
+
+ if v := httpsAdvancedSettings["bypass-on-client-failure"]; v != nil {
+ d.Set("bypass_on_client_failure", v)
+ }
+ if v := httpsAdvancedSettings["bypass-on-failure"]; v != nil {
+ d.Set("bypass_on_failure", v)
+ }
+ if v := httpsAdvancedSettings["bypass-under-load"]; v != nil {
+ mapToReturn := make(map[string]interface{})
+ v := v.(map[string]interface{})
+ if k := v["track"]; k != nil {
+ mapToReturn["track"] = k
+ }
+
+ d.Set("bypass_under_load", mapToReturn)
+ }
+
+ if v := httpsAdvancedSettings["site-categorization-allow-mode"]; v != nil {
+ d.Set("site_categorization_allow_mode", v)
+ }
+ if v := httpsAdvancedSettings["server-certificate-validation-actions"]; v != nil {
+
+ mapToReturn := make(map[string]interface{})
+ innerMap := v.(map[string]interface{})
+
+ if v := innerMap["block-expired"]; v != nil {
+ mapToReturn["block_expired"] = v
+ }
+ if v := innerMap["block-revoked"]; v != nil {
+ mapToReturn["block_revoked"] = v
+ }
+ if v := innerMap["block-untrusted"]; v != nil {
+ mapToReturn["block_untrusted"] = v
+ }
+ if v := innerMap["track-errors"]; v != nil {
+ mapToReturn["track_errors"] = v
+ }
+
+ d.Set("server_certificate_validation_actions", []interface{}{mapToReturn})
+ }
+
+ if v := httpsAdvancedSettings["retrieve-intermediate-ca-certificates"]; v != nil {
+ d.Set("retrieve_intermediate_ca_certificates", v)
+ }
+ if v := httpsAdvancedSettings["blocked-certificates"]; v != nil {
+
+ var blockedCertificates []map[string]interface{}
+
+ blockedCertificatesList := v.([]interface{})
+
+ for i := range blockedCertificatesList {
+
+ innerMap := blockedCertificatesList[i].(map[string]interface{})
+
+ mapToReturn := make(map[string]interface{})
+
+ if v := innerMap["name"]; v != nil {
+ mapToReturn["name"] = v
+ }
+ if v := innerMap["cert-serial-number"]; v != nil {
+ mapToReturn["cert_serial_number"] = v
+ }
+ if v := innerMap["comments"]; v != nil {
+ mapToReturn["comments"] = v
+ }
+ blockedCertificates = append(blockedCertificates, mapToReturn)
+ }
+
+ d.Set("blocked_certificates", blockedCertificates)
+ }
+
+ if v := httpsAdvancedSettings["blocked-certificate-tracking"]; v != nil {
+ d.Set("blocked_certificate_tracking", v)
+ }
+ if v := httpsAdvancedSettings["bypass-update-services"]; v != nil {
+ d.Set("bypass_update_services", v)
+ }
+ if v := httpsAdvancedSettings["certificate-pinned-apps-action"]; v != nil {
+ d.Set("certificate_pinned_apps_action", v)
+ }
+ if v := httpsAdvancedSettings["log-sessions"]; v != nil {
+ d.Set("log_sessions", v)
+ }
+
+ return nil
+}
diff --git a/checkpoint/data_source_checkpoint_management_outbound_inspection_certificate.go b/checkpoint/data_source_checkpoint_management_outbound_inspection_certificate.go
new file mode 100644
index 00000000..98a203ad
--- /dev/null
+++ b/checkpoint/data_source_checkpoint_management_outbound_inspection_certificate.go
@@ -0,0 +1,166 @@
+package checkpoint
+
+import (
+ "fmt"
+ checkpoint "github.com/CheckPointSW/cp-mgmt-api-go-sdk/APIFiles"
+ "github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+ "log"
+)
+
+func dataSourceManagementOutboundInspectionCertificate() *schema.Resource {
+ return &schema.Resource{
+
+ Read: dataSourceManagementOutboundInspectionCertificateRead,
+ Schema: map[string]*schema.Schema{
+ "name": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Object name.",
+ },
+ "uid": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Object unique identifier.",
+ },
+ "issued_by": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "The DN (Distinguished Name) of the certificate.",
+ },
+ "base64_certificate": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Password (encoded in Base64 with padding) for the certificate file.",
+ },
+ "base64_public_certificate": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Password (encoded in Base64 with padding) for the certificate file.",
+ },
+ "valid_from": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "The date, from which the certificate is valid. Format: YYYY-MM-DD.",
+ },
+ "valid_to": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "The certificate expiration date. Format: YYYY-MM-DD.",
+ },
+ "is_default": {
+ Type: schema.TypeBool,
+ Computed: true,
+ Description: "Is the certificate the default certificate.",
+ },
+ "tags": {
+ Type: schema.TypeSet,
+ Computed: true,
+ Description: "Collection of tag identifiers.",
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ "color": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Color of the object. Should be one of existing colors.",
+ },
+ "comments": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Comments string.",
+ },
+ },
+ }
+}
+func dataSourceManagementOutboundInspectionCertificateRead(d *schema.ResourceData, m interface{}) error {
+
+ client := m.(*checkpoint.ApiClient)
+
+ name := d.Get("name").(string)
+ uid := d.Get("uid").(string)
+
+ payload := make(map[string]interface{})
+
+ if name != "" {
+ payload["name"] = name
+ } else if uid != "" {
+ payload["uid"] = uid
+ }
+
+ showOutboundInspectionCertificateRes, err := client.ApiCall("show-outbound-inspection-certificate", payload, client.GetSessionID(), true, false)
+ if err != nil {
+ return fmt.Errorf(err.Error())
+ }
+ if !showOutboundInspectionCertificateRes.Success {
+ if objectNotFound(showOutboundInspectionCertificateRes.GetData()["code"].(string)) {
+ d.SetId("")
+ return nil
+ }
+ return fmt.Errorf(showOutboundInspectionCertificateRes.ErrorMsg)
+ }
+
+ outboundInspectionCertificate := showOutboundInspectionCertificateRes.GetData()
+
+ log.Println("Read OutboundInspectionCertificate - Show JSON = ", outboundInspectionCertificate)
+
+ if v := outboundInspectionCertificate["uid"]; v != nil {
+ _ = d.Set("uid", v)
+ d.SetId(v.(string))
+ }
+
+ if v := outboundInspectionCertificate["name"]; v != nil {
+ _ = d.Set("name", v)
+ }
+
+ if v := outboundInspectionCertificate["issued-by"]; v != nil {
+ _ = d.Set("issued_by", v)
+ }
+
+ if v := outboundInspectionCertificate["base64-certificate"]; v != nil {
+ _ = d.Set("base64_certificate", cleanseCertificate(v.(string)))
+ }
+
+ if v := outboundInspectionCertificate["base64-public-certificate"]; v != nil {
+ _ = d.Set("base64_public_certificate", cleanseCertificate(v.(string)))
+ }
+
+ if v := outboundInspectionCertificate["valid-from"]; v != nil {
+ _ = d.Set("valid_from", v)
+ }
+
+ if v := outboundInspectionCertificate["valid-to"]; v != nil {
+ _ = d.Set("valid_to", v)
+ }
+
+ if v := outboundInspectionCertificate["is-default"]; v != nil {
+ _ = d.Set("is_default", v)
+ }
+
+ if outboundInspectionCertificate["tags"] != nil {
+ tagsJson, ok := outboundInspectionCertificate["tags"].([]interface{})
+ if ok {
+ tagsIds := make([]string, 0)
+ if len(tagsJson) > 0 {
+ for _, tags := range tagsJson {
+ tags := tags.(map[string]interface{})
+ tagsIds = append(tagsIds, tags["name"].(string))
+ }
+ }
+ _ = d.Set("tags", tagsIds)
+ }
+ } else {
+ _ = d.Set("tags", nil)
+ }
+
+ if v := outboundInspectionCertificate["color"]; v != nil {
+ _ = d.Set("color", v)
+ }
+
+ if v := outboundInspectionCertificate["comments"]; v != nil {
+ _ = d.Set("comments", v)
+ }
+
+ return nil
+
+}
diff --git a/checkpoint/provider.go b/checkpoint/provider.go
index 838078a7..b7ee957d 100644
--- a/checkpoint/provider.go
+++ b/checkpoint/provider.go
@@ -111,6 +111,13 @@ func Provider() terraform.ResourceProvider {
},
},
ResourcesMap: map[string]*schema.Resource{
+ "checkpoint_management_outbound_inspection_certificate": resourceManagementOutboundInspectionCertificate(),
+ "checkpoint_management_run_trusted_ca_update": resourceManagementRunTrustedCaUpdate(),
+ "checkpoint_management_delete_custom_trusted_ca_certificate": resourceManagementDeleteCustomTrustedCaCertificate(),
+ "checkpoint_management_add_custom_trusted_ca_certificate": resourceManagementAddCustomTrustedCaCertificate(),
+ "checkpoint_management_set_https_advanced_settings": resourceManagementSetHttpsAdvancedSettings(),
+ "checkpoint_management_set_gateway_global_use": resourceManagementSetGatewayGlobalUse(),
+ "checkpoint_management_vsx_provisioning_tool": resourceManagementVsxProvisioningTool(),
"checkpoint_management_delete_infinity_idp_object": resourceManagementDeleteInfinityIdpObject(),
"checkpoint_management_delete_infinity_idp": resourceManagementDeleteInfinityIdp(),
"checkpoint_management_mobile_access_section": resourceManagementMobileAccessSection(),
@@ -323,6 +330,11 @@ func Provider() terraform.ResourceProvider {
"checkpoint_management_cme_gw_configurations_gcp": resourceManagementCMEGWConfigurationsGCP(),
},
DataSourcesMap: map[string]*schema.Resource{
+ "checkpoint_management_outbound_inspection_certificate": dataSourceManagementOutboundInspectionCertificate(),
+ "checkpoint_management_custom_trusted_ca_certificate": dataSourceManagementCustomTrustedCaCertificate(),
+ "checkpoint_management_https_advanced_settings": dataSourceManagementSetHttpsAdvancedSettings(),
+ "checkpoint_management_gateway_global_use": dataSourceManagementSetGatewayGlobalUse(),
+ "checkpoint_management_gateway_capabilities": dataSourceManagementSetGatewayCapabilities(),
"checkpoint_management_infinity_idp_object": dataSourceManagementInfinityIdpObject(),
"checkpoint_management_infinity_idp": dataSourceManagementInfinityIdp(),
"checkpoint_management_mobile_access_section": dataSourceManagementMobileAccessSection(),
diff --git a/checkpoint/resource_checkpoint_management_command_add_custom_trusted_ca_certificate.go b/checkpoint/resource_checkpoint_management_command_add_custom_trusted_ca_certificate.go
new file mode 100644
index 00000000..82c74f4a
--- /dev/null
+++ b/checkpoint/resource_checkpoint_management_command_add_custom_trusted_ca_certificate.go
@@ -0,0 +1,190 @@
+package checkpoint
+
+import (
+ "fmt"
+ checkpoint "github.com/CheckPointSW/cp-mgmt-api-go-sdk/APIFiles"
+ "github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+)
+
+func resourceManagementAddCustomTrustedCaCertificate() *schema.Resource {
+ return &schema.Resource{
+ Create: createManagementAddCustomTrustedCaCertificate,
+ Read: readManagementAddCustomTrustedCaCertificate,
+ Delete: deleteManagementAddCustomTrustedCaCertificate,
+ Schema: map[string]*schema.Schema{
+ "base64_certificate": {
+ Type: schema.TypeString,
+ Required: true,
+ ForceNew: true,
+ Description: "Certificate file encoded in base64.
Valid file formats: x509.",
+ },
+ "uid": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Object unique identifier.",
+ },
+ "name": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Object name.",
+ },
+ "added_by": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "By whom the certificate was added.",
+ },
+ "issued_by": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Trusted CA certificate issued by.",
+ },
+ "issued_to": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Trusted CA certificate issued to.",
+ },
+ "tags": {
+ Type: schema.TypeSet,
+ Computed: true,
+ Description: "Collection of tag identifiers.",
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ "valid_from": {
+ Type: schema.TypeList,
+ Computed: true,
+ Description: "Trusted CA certificate valid from date.",
+ MaxItems: 1,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "iso_8601": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Date and time represented in international ISO 8601 format",
+ },
+ "posix": {
+ Type: schema.TypeInt,
+ Computed: true,
+ Description: "Number of milliseconds that have elapsed since 00:00:00, 1 January 1970.\nTrusted CA certificate valid from date.",
+ },
+ },
+ },
+ },
+ "valid_to": {
+ Type: schema.TypeList,
+ Computed: true,
+ Description: "Trusted CA certificate valid to date.",
+ MaxItems: 1,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "iso_8601": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Date and time represented in international ISO 8601 format",
+ },
+ "posix": {
+ Type: schema.TypeInt,
+ Computed: true,
+ Description: "Number of milliseconds that have elapsed since 00:00:00, 1 January 1970.\nTrusted CA certificate valid from date.",
+ },
+ },
+ },
+ },
+ },
+ }
+}
+
+func createManagementAddCustomTrustedCaCertificate(d *schema.ResourceData, m interface{}) error {
+
+ client := m.(*checkpoint.ApiClient)
+
+ var payload = map[string]interface{}{}
+ if v, ok := d.GetOk("base64_certificate"); ok {
+ payload["base64-certificate"] = v.(string)
+ }
+
+ AddCustomTrustedCaCertificateRes, _ := client.ApiCall("add-custom-trusted-ca-certificate", payload, client.GetSessionID(), true, false)
+ if !AddCustomTrustedCaCertificateRes.Success {
+ return fmt.Errorf(AddCustomTrustedCaCertificateRes.ErrorMsg)
+ }
+
+ customTrustedCaCertificateObj := AddCustomTrustedCaCertificateRes.GetData()
+
+ if v := customTrustedCaCertificateObj["uid"]; v != nil {
+ d.SetId(v.(string))
+ d.Set("uid", v)
+ }
+
+ if v := customTrustedCaCertificateObj["name"]; v != nil {
+ d.Set("name", v)
+ }
+
+ if v := customTrustedCaCertificateObj["added-by"]; v != nil {
+ _ = d.Set("added_by", v)
+ }
+ if v := customTrustedCaCertificateObj["base64-certificate"]; v != nil {
+ _ = d.Set("base64_certificate", cleanseCertificate(v.(string)))
+ }
+ if v := customTrustedCaCertificateObj["issued-by"]; v != nil {
+ _ = d.Set("issued_by", v)
+ }
+ if v := customTrustedCaCertificateObj["issued-to"]; v != nil {
+ _ = d.Set("issued_to", v)
+ }
+ if customTrustedCaCertificateObj["tags"] != nil {
+ tagsJson, ok := customTrustedCaCertificateObj["tags"].([]interface{})
+ if ok {
+ tagsIds := make([]string, 0)
+ if len(tagsJson) > 0 {
+ for _, tags := range tagsJson {
+ tags := tags.(map[string]interface{})
+ tagsIds = append(tagsIds, tags["name"].(string))
+ }
+ }
+ _ = d.Set("tags", tagsIds)
+ }
+ } else {
+ _ = d.Set("tags", nil)
+ }
+
+ if v := customTrustedCaCertificateObj["valid-from"]; v != nil {
+
+ localMap := v.(map[string]interface{})
+
+ validFrom := make(map[string]interface{})
+
+ if v := localMap["iso-8601"]; v != nil {
+ validFrom["iso_8601"] = v
+ }
+ if v := localMap["posix"]; v != nil {
+ validFrom["posix"] = v
+ }
+ _ = d.Set("valid_from", []interface{}{validFrom})
+ }
+ if v := customTrustedCaCertificateObj["valid-to"]; v != nil {
+
+ localMap := v.(map[string]interface{})
+
+ validTo := make(map[string]interface{})
+
+ if v := localMap["iso-8601"]; v != nil {
+ validTo["iso_8601"] = v
+ }
+ if v := localMap["posix"]; v != nil {
+ validTo["posix"] = v
+ }
+ _ = d.Set("valid_to", []interface{}{validTo})
+ }
+
+ return readManagementAddCustomTrustedCaCertificate(d, m)
+}
+
+func readManagementAddCustomTrustedCaCertificate(d *schema.ResourceData, m interface{}) error {
+ return nil
+}
+
+func deleteManagementAddCustomTrustedCaCertificate(d *schema.ResourceData, m interface{}) error {
+ d.SetId("")
+ return nil
+}
diff --git a/checkpoint/resource_checkpoint_management_command_delete_custom_trusted_ca_certificate.go b/checkpoint/resource_checkpoint_management_command_delete_custom_trusted_ca_certificate.go
new file mode 100644
index 00000000..f350c7e5
--- /dev/null
+++ b/checkpoint/resource_checkpoint_management_command_delete_custom_trusted_ca_certificate.go
@@ -0,0 +1,83 @@
+package checkpoint
+
+import (
+ "fmt"
+ checkpoint "github.com/CheckPointSW/cp-mgmt-api-go-sdk/APIFiles"
+ "github.com/hashicorp/terraform-plugin-sdk/helper/acctest"
+ "github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+)
+
+func resourceManagementDeleteCustomTrustedCaCertificate() *schema.Resource {
+ return &schema.Resource{
+ Create: createManagementDeleteCustomTrustedCaCertificate,
+ Read: readManagementDeleteCustomTrustedCaCertificate,
+ Delete: deleteManagementDeleteCustomTrustedCaCertificate,
+ Schema: map[string]*schema.Schema{
+ "uid": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Object name.",
+ },
+ "name": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Object name.",
+ },
+ "ignore_warnings": {
+ Type: schema.TypeBool,
+ Optional: true,
+ ForceNew: true,
+ Description: "Apply changes ignoring warnings.",
+ },
+ "ignore_errors": {
+ Type: schema.TypeBool,
+ Optional: true,
+ ForceNew: true,
+ Description: "Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.",
+ },
+ },
+ }
+}
+
+func createManagementDeleteCustomTrustedCaCertificate(d *schema.ResourceData, m interface{}) error {
+
+ client := m.(*checkpoint.ApiClient)
+
+ var payload = map[string]interface{}{}
+
+ if v, ok := d.GetOk("uid"); ok {
+ payload["uid"] = v.(string)
+ } else {
+ if v, ok := d.GetOk("name"); ok {
+ payload["name"] = v.(string)
+ }
+ }
+ if v, ok := d.GetOkExists("ignore_warnings"); ok {
+ payload["ignore-warnings"] = v.(bool)
+ }
+
+ if v, ok := d.GetOkExists("ignore_errors"); ok {
+ payload["ignore-errors"] = v.(bool)
+ }
+
+ DeleteCustomTrustedCaCertificateRes, _ := client.ApiCall("delete-custom-trusted-ca-certificate", payload, client.GetSessionID(), true, false)
+ if !DeleteCustomTrustedCaCertificateRes.Success {
+ return fmt.Errorf(DeleteCustomTrustedCaCertificateRes.ErrorMsg)
+ }
+ d.SetId("delete-custom-trusted-ca-certificate-" + acctest.RandString(10))
+
+ return readManagementDeleteCustomTrustedCaCertificate(d, m)
+}
+
+func readManagementDeleteCustomTrustedCaCertificate(d *schema.ResourceData, m interface{}) error {
+
+ return nil
+}
+
+func deleteManagementDeleteCustomTrustedCaCertificate(d *schema.ResourceData, m interface{}) error {
+
+ d.SetId("")
+ return nil
+}
diff --git a/checkpoint/resource_checkpoint_management_command_run_trusted_ca_update.go b/checkpoint/resource_checkpoint_management_command_run_trusted_ca_update.go
new file mode 100644
index 00000000..521639c9
--- /dev/null
+++ b/checkpoint/resource_checkpoint_management_command_run_trusted_ca_update.go
@@ -0,0 +1,58 @@
+package checkpoint
+
+import (
+ "fmt"
+ checkpoint "github.com/CheckPointSW/cp-mgmt-api-go-sdk/APIFiles"
+ "github.com/hashicorp/terraform-plugin-sdk/helper/acctest"
+ "github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+)
+
+func resourceManagementRunTrustedCaUpdate() *schema.Resource {
+ return &schema.Resource{
+ Create: createManagementRunTrustedCaUpdate,
+ Read: readManagementRunTrustedCaUpdate,
+ Delete: deleteManagementRunTrustedCaUpdate,
+ Schema: map[string]*schema.Schema{
+ "package_path": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Path on the management server for offline Trusted CAs package update.",
+ },
+ "task_id": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Command asynchronous task unique identifier.",
+ },
+ },
+ }
+}
+
+func createManagementRunTrustedCaUpdate(d *schema.ResourceData, m interface{}) error {
+ client := m.(*checkpoint.ApiClient)
+
+ var payload = make(map[string]interface{})
+ if v, ok := d.GetOk("package_path"); ok {
+ payload["package-path"] = v.(string)
+ }
+
+ RunTrustedCaUpdateRes, _ := client.ApiCall("run-trusted-ca-update", payload, client.GetSessionID(), true, false)
+ if !RunTrustedCaUpdateRes.Success {
+ return fmt.Errorf(RunTrustedCaUpdateRes.ErrorMsg)
+ }
+
+ d.SetId("run-trusted-ca-update-" + acctest.RandString(10))
+ _ = d.Set("task_id", resolveTaskId(RunTrustedCaUpdateRes.GetData()))
+ return readManagementRunTrustedCaUpdate(d, m)
+}
+
+func readManagementRunTrustedCaUpdate(d *schema.ResourceData, m interface{}) error {
+
+ return nil
+}
+
+func deleteManagementRunTrustedCaUpdate(d *schema.ResourceData, m interface{}) error {
+
+ d.SetId("")
+ return nil
+}
diff --git a/checkpoint/resource_checkpoint_management_command_set_gateway_global_use.go b/checkpoint/resource_checkpoint_management_command_set_gateway_global_use.go
new file mode 100644
index 00000000..d77ff592
--- /dev/null
+++ b/checkpoint/resource_checkpoint_management_command_set_gateway_global_use.go
@@ -0,0 +1,70 @@
+package checkpoint
+
+import (
+ "fmt"
+ checkpoint "github.com/CheckPointSW/cp-mgmt-api-go-sdk/APIFiles"
+ "github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+)
+
+func resourceManagementSetGatewayGlobalUse() *schema.Resource {
+ return &schema.Resource{
+ Create: createManagementSetGatewayGlobalUse,
+ Read: readManagementSetGatewayGlobalUse,
+ Delete: deleteManagementSetGatewayGlobalUse,
+ Schema: map[string]*schema.Schema{
+ "uid": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Object unique identifier.",
+ },
+ "enabled": {
+ Type: schema.TypeBool,
+ Required: true,
+ ForceNew: true,
+ Description: "Indicates whether global use is enabled on the target.",
+ },
+ "target": {
+ Type: schema.TypeString,
+ Required: true,
+ ForceNew: true,
+ Description: "On what target to execute this command. Target may be identified by its object name, or object unique identifier.",
+ },
+ },
+ }
+}
+
+func createManagementSetGatewayGlobalUse(d *schema.ResourceData, m interface{}) error {
+
+ client := m.(*checkpoint.ApiClient)
+
+ var payload = map[string]interface{}{}
+ if v, ok := d.GetOkExists("enabled"); ok {
+ payload["enabled"] = v.(bool)
+ }
+
+ if v, ok := d.GetOk("target"); ok {
+ payload["target"] = v.(string)
+ }
+
+ SetGatewayGlobalUseRes, _ := client.ApiCall("set-gateway-global-use", payload, client.GetSessionID(), true, false)
+ if !SetGatewayGlobalUseRes.Success {
+ return fmt.Errorf(SetGatewayGlobalUseRes.ErrorMsg)
+ }
+
+ res := SetGatewayGlobalUseRes.GetData()
+
+ _ = d.Set("uid", res["uid"])
+ d.SetId(res["uid"].(string))
+ return readManagementSetGatewayGlobalUse(d, m)
+}
+
+func readManagementSetGatewayGlobalUse(d *schema.ResourceData, m interface{}) error {
+
+ return nil
+}
+
+func deleteManagementSetGatewayGlobalUse(d *schema.ResourceData, m interface{}) error {
+
+ d.SetId("")
+ return nil
+}
diff --git a/checkpoint/resource_checkpoint_management_command_set_https_advanced_settings.go b/checkpoint/resource_checkpoint_management_command_set_https_advanced_settings.go
new file mode 100644
index 00000000..005a801b
--- /dev/null
+++ b/checkpoint/resource_checkpoint_management_command_set_https_advanced_settings.go
@@ -0,0 +1,283 @@
+package checkpoint
+
+import (
+ "fmt"
+ checkpoint "github.com/CheckPointSW/cp-mgmt-api-go-sdk/APIFiles"
+ "github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+ "strconv"
+)
+
+func resourceManagementSetHttpsAdvancedSettings() *schema.Resource {
+ return &schema.Resource{
+ Create: createManagementSetHttpsAdvancedSettings,
+ Read: readManagementSetHttpsAdvancedSettings,
+ Delete: deleteManagementSetHttpsAdvancedSettings,
+ Schema: map[string]*schema.Schema{
+ "uid": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Object unique identifier.",
+ },
+ "bypass_on_client_failure": {
+ Type: schema.TypeBool,
+ Optional: true,
+ ForceNew: true,
+ Description: "Whether all requests should be bypassed or blocked-in case of client errors (Client closes the connection due to authentication issues during handshake)
- true - Fail-open (bypass all requests).
- false - Fail-close (block all requests.
The default value is true.",
+ },
+ "bypass_on_failure": {
+ Type: schema.TypeBool,
+ Optional: true,
+ ForceNew: true,
+ Description: "Whether all requests should be bypassed or blocked-in case of server errors (for example validation error during GW-Server authentication)
- true - Fail-open (bypass all requests).
- false - Fail-close (block all requests.
The default value is true.",
+ },
+ "bypass_under_load": {
+ Type: schema.TypeMap,
+ Optional: true,
+ Description: "Bypass the HTTPS Inspection temporarily to improve connectivity during a heavy load on the Security Gateway. The HTTPS Inspection would resume as soon as the load decreases.",
+ ForceNew: true,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "track": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Whether to log and send a notification for the bypass under load:- None - Does not record the event.
- Log - Records the event details. Use SmartConsole or SmartView to see the logs.
- Alert - Logs the event and executes a command you configured.
- Mail - Sends an email to the administrator.
- SNMP Trap - Sends an SNMP alert to the configured SNMP Management Server.
- User Defined Alert - Sends a custom alert.
.",
+ Default: "Alert",
+ },
+ },
+ },
+ },
+ "site_categorization_allow_mode": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Whether all requests should be allowed or blocked until categorization is complete.
- Background - to allow requests until categorization is complete.
- Hold- to block requests until categorization is complete.
The default value is hold.",
+ },
+ "server_certificate_validation_actions": {
+ Type: schema.TypeMap,
+ Optional: true,
+ Description: "When a Security Gateway receives an untrusted certificate from a website server, define when to drop the connection and how to track it.",
+ ForceNew: true,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "block_expired": {
+ Type: schema.TypeBool,
+ Optional: true,
+ Description: "Set to be true in order to drop traffic from servers with expired server certificate.",
+ Default: false,
+ },
+ "block_revoked": {
+ Type: schema.TypeBool,
+ Optional: true,
+ Description: "Set to be true in order to drop traffic from servers with revoked server certificate (validate CRL).",
+ Default: true,
+ },
+ "block_untrusted": {
+ Type: schema.TypeBool,
+ Optional: true,
+ Description: "Set to be true in order to drop traffic from servers with untrusted server certificate.",
+ Default: false,
+ },
+ "track_errors": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Whether to log and send a notification for the server validation errors:
- None - Does not record the event.
- Log - Records the event details in SmartView.
- Alert - Logs the event and executes a command.
- Mail - Sends an email to the administrator.
- SNMP Trap - Sends an SNMP alert to the SNMP GU.
- User Defined Alert - Sends customized alerts.
.",
+ },
+ },
+ },
+ },
+ "retrieve_intermediate_ca_certificates": {
+ Type: schema.TypeBool,
+ Optional: true,
+ ForceNew: true,
+ Description: "Configure the value \"true\" to use the \"Certificate Authority Information Access\" extension to retrieve certificates that are missing from the certificate chain.
The default value is true.",
+ },
+ "blocked_certificates": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: "Collection of certificates objects identified by serial number.
Drop traffic from servers using the blocked certificate.",
+ ForceNew: true,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "name": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Describes the name, cannot be overridden.",
+ },
+ "cert_serial_number": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Certificate Serial Number (unique) in hexadecimal format HH:HH.",
+ },
+ "comments": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Describes the certificate by default, can be overridden by any text.",
+ },
+ },
+ },
+ },
+ "blocked_certificate_tracking": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Controls whether to log and send a notification for dropped traffic.
- None - Does not record the event.
- Log - Records the event details in SmartView.
- Alert - Logs the event and executes a command.
- Mail - Sends an email to the administrator.
- SNMP Trap - Sends an SNMP alert to the SNMP GU.
- User Defined Alert - Sends customized alerts.
.",
+ },
+ "bypass_update_services": {
+ Type: schema.TypeBool,
+ Optional: true,
+ ForceNew: true,
+ Description: "Configure the value \"true\" to bypass traffic to well-known software update services.
The default value is true.",
+ },
+ "certificate_pinned_apps_action": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Configure the value \"bypass\" to bypass traffic from certificate-pinned applications approved by Check Point.
HTTPS Inspection cannot inspect connections initiated by certificate-pinned applications.
Configure the value \"detect\" to send logs for traffic from certificate-pinned applications approved by Check Point.
The default value is bypass.",
+ },
+ "log_sessions": {
+ Type: schema.TypeBool,
+ Optional: true,
+ ForceNew: true,
+ Description: "The value \"true\" configures the Security Gateway to send HTTPS Inspection session logs.
The default value is true.",
+ },
+ "ignore_warnings": {
+ Type: schema.TypeBool,
+ Optional: true,
+ ForceNew: true,
+ Description: "Apply changes ignoring warnings.",
+ },
+ "ignore_errors": {
+ Type: schema.TypeBool,
+ Optional: true,
+ ForceNew: true,
+ Description: "Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.",
+ },
+ },
+ }
+}
+
+func createManagementSetHttpsAdvancedSettings(d *schema.ResourceData, m interface{}) error {
+
+ client := m.(*checkpoint.ApiClient)
+
+ var payload = map[string]interface{}{}
+ if v, ok := d.GetOkExists("bypass_on_client_failure"); ok {
+ payload["bypass-on-client-failure"] = v.(bool)
+ }
+
+ if v, ok := d.GetOkExists("bypass_on_failure"); ok {
+ payload["bypass-on-failure"] = v.(bool)
+ }
+
+ if _, ok := d.GetOk("bypass_under_load"); ok {
+
+ res := make(map[string]interface{})
+
+ if v, ok := d.GetOk("bypass_under_load.track"); ok {
+ res["track"] = v.(string)
+ }
+ payload["bypass-under-load"] = res
+ }
+
+ if v, ok := d.GetOk("site_categorization_allow_mode"); ok {
+ payload["site-categorization-allow-mode"] = v.(string)
+ }
+
+ if _, ok := d.GetOk("server_certificate_validation_actions"); ok {
+
+ res := make(map[string]interface{})
+
+ if v, ok := d.GetOk("server_certificate_validation_actions.block_expired"); ok {
+ res["block-expired"] = v
+ }
+ if v, ok := d.GetOk("server_certificate_validation_actions.block_revoked"); ok {
+ res["block-revoked"] = v
+ }
+ if v, ok := d.GetOk("server_certificate_validation_actions.block_untrusted"); ok {
+ res["block-untrusted"] = v
+ }
+ if v, ok := d.GetOk("server_certificate_validation_actions.track_errors"); ok {
+ res["track-errors"] = v
+ }
+ payload["server-certificate-validation-actions"] = res
+ }
+
+ if v, ok := d.GetOkExists("retrieve_intermediate_ca_certificates"); ok {
+ payload["retrieve-intermediate-ca-certificates"] = v.(bool)
+ }
+
+ if v, ok := d.GetOk("blocked_certificates"); ok {
+
+ blockedCertificatesList := v.([]interface{})
+
+ if len(blockedCertificatesList) > 0 {
+
+ var blockedCertificatesPayload []map[string]interface{}
+
+ for i := range blockedCertificatesList {
+
+ Payload := make(map[string]interface{})
+
+ if v, ok := d.GetOk("blocked_certificates." + strconv.Itoa(i) + ".name"); ok {
+ Payload["name"] = v.(string)
+ }
+ if v, ok := d.GetOk("blocked_certificates." + strconv.Itoa(i) + ".cert_serial_number"); ok {
+ Payload["cert-serial-number"] = v.(string)
+ }
+ if v, ok := d.GetOk("blocked_certificates." + strconv.Itoa(i) + ".comments"); ok {
+ Payload["comments"] = v.(string)
+ }
+ blockedCertificatesPayload = append(blockedCertificatesPayload, Payload)
+ }
+ payload["blocked-certificates"] = blockedCertificatesPayload
+ }
+ }
+
+ if v, ok := d.GetOk("blocked_certificate_tracking"); ok {
+ payload["blocked-certificate-tracking"] = v.(string)
+ }
+
+ if v, ok := d.GetOkExists("bypass_update_services"); ok {
+ payload["bypass-update-services"] = v.(bool)
+ }
+
+ if v, ok := d.GetOk("certificate_pinned_apps_action"); ok {
+ payload["certificate-pinned-apps-action"] = v.(string)
+ }
+
+ if v, ok := d.GetOkExists("log_sessions"); ok {
+ payload["log-sessions"] = v.(bool)
+ }
+
+ if v, ok := d.GetOkExists("ignore_warnings"); ok {
+ payload["ignore-warnings"] = v.(bool)
+ }
+
+ if v, ok := d.GetOkExists("ignore_errors"); ok {
+ payload["ignore-errors"] = v.(bool)
+ }
+
+ SetHttpsAdvancedSettingsRes, _ := client.ApiCall("set-https-advanced-settings", payload, client.GetSessionID(), true, false)
+ if !SetHttpsAdvancedSettingsRes.Success {
+ return fmt.Errorf(SetHttpsAdvancedSettingsRes.ErrorMsg)
+ }
+
+ setHttpsAdvancedSettingsResData := SetHttpsAdvancedSettingsRes.GetData()
+ if v := setHttpsAdvancedSettingsResData["uid"]; v != nil {
+ d.Set("uid", v)
+ d.SetId(v.(string))
+ }
+
+ return readManagementSetHttpsAdvancedSettings(d, m)
+}
+
+func readManagementSetHttpsAdvancedSettings(d *schema.ResourceData, m interface{}) error {
+
+ return nil
+}
+
+func deleteManagementSetHttpsAdvancedSettings(d *schema.ResourceData, m interface{}) error {
+
+ d.SetId("")
+ return nil
+}
diff --git a/checkpoint/resource_checkpoint_management_command_vsx_provisioning_tool.go b/checkpoint/resource_checkpoint_management_command_vsx_provisioning_tool.go
new file mode 100644
index 00000000..a26f30f8
--- /dev/null
+++ b/checkpoint/resource_checkpoint_management_command_vsx_provisioning_tool.go
@@ -0,0 +1,1534 @@
+package checkpoint
+
+import (
+ "fmt"
+ checkpoint "github.com/CheckPointSW/cp-mgmt-api-go-sdk/APIFiles"
+ "github.com/hashicorp/terraform-plugin-sdk/helper/acctest"
+ "github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+ "log"
+ "strconv"
+)
+
+func resourceManagementVsxProvisioningTool() *schema.Resource {
+ return &schema.Resource{
+ Create: createManagementVsxProvisioningTool,
+ Read: readManagementVsxProvisioningTool,
+ Delete: deleteManagementVsxProvisioningTool,
+ Schema: map[string]*schema.Schema{
+ "task_id": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Command asynchronous task unique identifier.",
+ },
+ "operation": {
+ Type: schema.TypeString,
+ Required: true,
+ ForceNew: true,
+ Description: "The name of the provisioning operation to run. Each operation has its own specific parameters.
The available operations are:- add-vsx-gateway - Adds a new VSX gateway
- add-vsx-cluster - Adds a new VSX cluster*
- add-vsx-cluster-member - Adds a new VSX cluster member*
- add-vd - Adds a new Virtual Device (VS/VSB/VSW/VR) to a VSX gateway or VSX cluster
- add-vd-interface - Adds a new virtual interface to a Virtual Device
- add-physical-interface - Adds a physical interface to a VSX gateway or VSX cluster
- add-route - Adds a route to a Virtual Device
- attach-bridge - Attaches a bridge interface to a Virtual System
- remove-vsx - Removes a VSX gateway or VSX cluster
- remove-vd - Removes a Virtual Device
- remove-vd-interface - Removes an interface from a Virtual Device
- remove-physical-interface - Removes a physical interface from a VSX gateway or VSX cluster
- remove-route - Removes a route from a Virtual Device
- set-vd - Modifies a Virtual Device
- set-vd-interface - Modifies an interface on a Virtual Device
- set-physical-interface - Modifies a physical interface on a VSX cluster or VSX gateway
* When adding a VSX Cluster, you must also add at least 2 cluster members
* Adding cluster members is only allowed when adding a new VSX cluster
* To add members to an existing cluster, use vsx-run-operation.",
+ },
+ "add_physical_interface_params": {
+ Type: schema.TypeList,
+ Optional: true,
+ MaxItems: 1,
+ Description: "Parameters for the operation to add a physical interface to a VSX gateway or VSX Cluster.",
+ ForceNew: true,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "name": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Name of the interface.",
+ },
+ "vsx_name": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Name of the VSX Gateway or Cluster object.",
+ },
+ "vlan_trunk": {
+ Type: schema.TypeBool,
+ Optional: true,
+ ForceNew: true,
+ Description: "True if this interface is a VLAN trunk.",
+ Default: false,
+ },
+ },
+ },
+ },
+ "add_route_params": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: "Parameters for the operation to add a route to a Virtual System or Virtual Router.",
+ ForceNew: true,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "destination": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Route destination. To specify the default route, use 'default' for IPv4 and 'default6' for IPv6.",
+ },
+ "next_hop": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Next hop IP address.",
+ },
+ "leads_to": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Virtual Router for this route
This VD must have an existing connection to the VR.",
+ },
+ "vd": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Name of the Virtual System, Virtual Switch, or Virtual Router.",
+ },
+ "netmask": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Subnet mask for this route.",
+ },
+ "prefix": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "CIDR prefix for this route.",
+ },
+ "propagate": {
+ Type: schema.TypeBool,
+ Optional: true,
+ ForceNew: true,
+ Description: "Propagate this route to adjacent virtual devices.",
+ Default: false,
+ },
+ },
+ },
+ },
+ "add_vd_interface_params": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: "Parameters for the operation to add a new interface to a Virtual Device.",
+ ForceNew: true,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "leads_to": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Virtual Switch or Virtual Router for this interface.",
+ },
+ "name": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Name of the interface.",
+ },
+ "vd": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Name of the Virtual System, Virtual Switch, or Virtual Router.",
+ },
+ "anti_spoofing": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "The anti-spoofing enforcement setting of this interface.",
+ },
+ "anti_spoofing_tracking": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "The anti-spoofing tracking setting of this interface.",
+ },
+ "ipv4_address": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "IPv4 Address of this interface with optional CIDR prefix.
Required if this interface belongs to a Virtual System or Virtual Router.",
+ },
+ "ipv4_netmask": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "IPv4 Subnet mask of this interface.",
+ },
+ "ipv4_prefix": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "IPv4 CIDR prefix of this interface.",
+ },
+ "ipv6_address": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "IPv6 Address of this interface
Required if this interface belongs to a Virtual System or Virtual Router.",
+ },
+ "ipv6_netmask": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "IPv6 Subnet mask of this interface.",
+ },
+ "ipv6_prefix": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "IPv6 CIDR prefix of this interface.",
+ },
+ "mtu": {
+ Type: schema.TypeInt,
+ Optional: true,
+ ForceNew: true,
+ Description: "MTU of this interface.",
+ },
+ "propagate": {
+ Type: schema.TypeBool,
+ Optional: true,
+ ForceNew: true,
+ Description: "Propagate IPv4 route to adjacent virtual devices.",
+ Default: false,
+ },
+ "propagate6": {
+ Type: schema.TypeBool,
+ Optional: true,
+ ForceNew: true,
+ Description: "Propagate IPv6 route to adjacent virtual devices.",
+ Default: false,
+ },
+ "specific_group": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Specific group for interface topology.
Only for use with topology option 'internal_specific'.",
+ },
+ "topology": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Topology of this interface.
Automatic topology calculation based on routes must be disabled for this VS.",
+ },
+ "vti_settings": {
+ Type: schema.TypeList,
+ Optional: true,
+ ForceNew: true,
+ MaxItems: 1,
+ Description: "VTI settings for this interface. This Virtual System must have VPN blade enabled.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "local_ipv4_address": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "The IPv4 address of the VPN tunnel on this Virtual System.",
+ },
+ "peer_name": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "The name of the remote peer object as defined in the VPN community.",
+ },
+ "remote_ipv4_address": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "The IPv4 address of the VPN tunnel on the remote VPN peer.",
+ },
+ "tunnel_id": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Optional unique Tunnel ID.
Automatically assigned by the system if empty.",
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ "add_vd_params": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: "Parameters for the operation to add a new Virtual Device (VS/VSB/VSW/VR).",
+ ForceNew: true,
+ MaxItems: 1,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "interfaces": {
+ Type: schema.TypeList,
+ Required: true,
+ ForceNew: true,
+ Description: "The list of interfaces for this new Virtual Device.
Optional if this new VD is a Virtual Switch.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "leads_to": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Virtual Switch or Virtual Router for this interface.",
+ },
+ "name": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Name of the interface.",
+ },
+ "anti_spoofing": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "The anti-spoofing enforcement setting of this interface.",
+ },
+ "anti_spoofing_tracking": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "The anti-spoofing tracking setting of this interface.",
+ },
+ "ipv4_address": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "IPv4 Address of this interface with optional CIDR prefix.
Required if this interface belongs to a Virtual System or Virtual Router.",
+ },
+ "ipv4_netmask": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "IPv4 Subnet mask of this interface.",
+ },
+ "ipv4_prefix": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "IPv4 CIDR prefix of this interface.",
+ },
+ "ipv6_address": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "IPv6 Address of this interface
Required if this interface belongs to a Virtual System or Virtual Router.",
+ },
+ "ipv6_netmask": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "IPv6 Subnet mask of this interface.",
+ },
+ "ipv6_prefix": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "IPv6 CIDR prefix of this interface.",
+ },
+ "mtu": {
+ Type: schema.TypeInt,
+ Optional: true,
+ Description: "MTU of this interface.",
+ },
+ "propagate": {
+ Type: schema.TypeBool,
+ Optional: true,
+ Description: "Propagate IPv4 route to adjacent virtual devices.",
+ },
+ "propagate6": {
+ Type: schema.TypeBool,
+ Optional: true,
+ Description: "Propagate IPv6 route to adjacent virtual devices.",
+ },
+ "specific_group": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Specific group for interface topology.
Only for use with topology option 'internal_specific'.",
+ },
+ "topology": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Topology of this interface.
Automatic topology calculation based on routes must be disabled for this VS.",
+ },
+ },
+ },
+ },
+ "type": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Type of the Virtual Device
vs - Virtual Firewall
vr - Virtual Router
vsw - Virtual Switch
vsbm - Virtual Firewall in bridge mode.",
+ },
+ "vd": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Name of the Virtual System, Virtual Switch, or Virtual Router.",
+ },
+ "vsx_name": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Name of the VSX Gateway or Cluster object.",
+ },
+ "calc_topology_auto": {
+ Type: schema.TypeBool,
+ Optional: true,
+ ForceNew: true,
+ Description: "Calculate interface topology automatically based on routes.
Relevant only for Virtual Systems.
Do not use for virtual devices.",
+ },
+ "ipv4_address": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Main IPv4 Address.
Required if this device is a Virtual System.
Do not use for other virtual devices.",
+ },
+ "ipv4_instances": {
+ Type: schema.TypeInt,
+ Optional: true,
+ ForceNew: true,
+ Description: "Number of IPv4 instances for the Virtual System.
Must be greater or equal to 1.
Only relevant for Virtual Systems and Virtual Systems in bridge mode.",
+ },
+ "ipv6_address": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Main IPv6 Address.
Required if this device is a Virtual System.
Do not use for other virtual devices.",
+ },
+ "ipv6_instances": {
+ Type: schema.TypeInt,
+ Optional: true,
+ ForceNew: true,
+ Description: "Number of IPv6 instances for the Virtual System.
Only relevant for Virtual Systems and Virtual Systems in bridge mode.",
+ },
+ "routes": {
+ Type: schema.TypeList,
+ Optional: true,
+ ForceNew: true,
+ Description: "The list of routes for this new Virtual Device (VS or VR only).",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "destination": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Route destination. To specify the default route, use 'default' for IPv4 and 'default6' for IPv6.",
+ },
+ "next_hop": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Next hop IP address.",
+ },
+ "leads_to": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Virtual Router for this route
This VD must have an existing connection to the VR.",
+ },
+ "netmask": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Subnet mask for this route.",
+ },
+ "prefix": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "CIDR prefix for this route.",
+ },
+ "propagate": {
+ Type: schema.TypeBool,
+ Optional: true,
+ Description: "Propagate this route to adjacent virtual devices.",
+ Default: false,
+ },
+ },
+ },
+ },
+ "vs_mtu": {
+ Type: schema.TypeInt,
+ Optional: true,
+ Description: "MTU of the Virtual System.
Only relevant for Virtual Systems in bridge mode.
Do not use for other virtual devices.",
+ },
+ },
+ },
+ },
+ "add_vsx_cluster_params": {
+ Type: schema.TypeList,
+ Optional: true,
+ MaxItems: 1,
+ Description: "Parameters for the operation to add a new VSX Cluster.",
+ ForceNew: true,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "cluster_type": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Cluster type for the VSX Cluster Object.
Starting in R81.10, only VSLS can be configured during cluster creation.
To use High Availability ('ha'), first create the cluster as VSLS and then run vsx_util on the Management.",
+ },
+ "ipv4_address": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Main IPv4 Address of the VSX Gateway or Cluster object.
Optional if main IPv6 Address is defined.",
+ },
+ "ipv6_address": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Main IPv6 Address of the VSX Gateway or Cluster object.
Optional if main IPv4 Address is defined.",
+ },
+ "members": {
+ Type: schema.TypeList,
+ Optional: true,
+ ForceNew: true,
+ Description: "The list of cluster members for this new VSX Cluster. Minimum: 2.",
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "ipv4_address": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Main IPv4 Address of the VSX Cluster member.
Mandatory if the VSX Cluster has an IPv4 Address.",
+ },
+ "ipv6_address": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Main IPv6 Address of the VSX Cluster member.
Mandatory if the VSX Cluster has an IPv6 Address.",
+ },
+ "name": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Name of the new VSX Cluster member.",
+ },
+ "sic_otp": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "SIC one-time-password of the VSX Gateway or Cluster member.
Password must be between 4-127 characters in length.",
+ },
+ "sync_ip": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Sync IP address for the VSX Cluster member.",
+ },
+ },
+ },
+ },
+ "sync_if_name": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Sync interface name for the VSX Cluster.",
+ },
+ "sync_netmask": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Sync interface netmask for the VSX Cluster.",
+ },
+ "version": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Version of the VSX Gateway or Cluster object.",
+ },
+ "vsx_name": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Name of the VSX Gateway or Cluster object.",
+ },
+ "rule_drop": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Add a default drop rule to the VSX Gateway or Cluster initial policy.",
+ Default: "enable",
+ },
+ "rule_https": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Add a rule to allow HTTPS traffic to the VSX Gateway or Cluster initial policy.",
+ Default: "disable",
+ },
+ "rule_ping": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Add a rule to allow ping traffic to the VSX Gateway or Cluster initial policy.",
+ Default: "disable",
+ },
+ "rule_ping6": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Add a rule to allow ping6 traffic to the VSX Gateway or Cluster initial policy.",
+ Default: "disable",
+ },
+ "rule_snmp": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Add a rule to allow SNMP traffic to the VSX Gateway or Cluster initial policy.",
+ Default: "disable",
+ },
+ "rule_ssh": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Add a rule to allow SSH traffic to the VSX Gateway or Cluster initial policy.",
+ Default: "disable",
+ },
+ },
+ },
+ },
+ "add_vsx_gateway_params": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: "Parameters for the operation to add a new VSX Gateway.",
+ ForceNew: true,
+ MaxItems: 1,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "ipv4_address": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Main IPv4 Address of the VSX Gateway or Cluster object.
Optional if main IPv6 Address is defined.",
+ },
+ "ipv6_address": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Main IPv6 Address of the VSX Gateway or Cluster object.
Optional if main IPv4 Address is defined.",
+ },
+ "sic_otp": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "SIC one-time-password of the VSX Gateway or Cluster member.
Password must be between 4-127 characters in length.",
+ },
+ "version": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Version of the VSX Gateway or Cluster object.",
+ },
+ "vsx_name": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Name of the VSX Gateway or Cluster object.",
+ },
+ "rule_drop": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Add a default drop rule to the VSX Gateway or Cluster initial policy.",
+ Default: "enable",
+ },
+ "rule_https": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Add a rule to allow HTTPS traffic to the VSX Gateway or Cluster initial policy.",
+ Default: "disable",
+ },
+ "rule_ping": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Add a rule to allow ping traffic to the VSX Gateway or Cluster initial policy.",
+ Default: "disable",
+ },
+ "rule_ping6": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Add a rule to allow ping6 traffic to the VSX Gateway or Cluster initial policy.",
+ Default: "disable",
+ },
+ "rule_snmp": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Add a rule to allow SNMP traffic to the VSX Gateway or Cluster initial policy.",
+ Default: "disable",
+ },
+ "rule_ssh": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Add a rule to allow SSH traffic to the VSX Gateway or Cluster initial policy.",
+ Default: "disable",
+ },
+ },
+ },
+ },
+ "attach_bridge_params": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: "Parameters for the operation to attach a new bridge interface to a Virtual System.",
+ ForceNew: true,
+ MaxItems: 1,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "ifs1": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Name of the first interface for the bridge.",
+ },
+ "ifs2": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Name of the second interface for the bridge.",
+ },
+ "vd": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Name of the Virtual System, Virtual Switch, or Virtual Router.",
+ },
+ },
+ },
+ },
+ "remove_physical_interface_params": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: "Parameters for the operation to remove a physical interface from a VSX (Gateway or Cluster).",
+ ForceNew: true,
+ MaxItems: 1,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "name": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Name of the interface.",
+ },
+ "vsx_name": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Name of the VSX Gateway or Cluster object.",
+ },
+ },
+ },
+ },
+ "remove_route_params": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: "Parameters for the operation to remove a route from a Virtual System or Virtual Router.",
+ ForceNew: true,
+ MaxItems: 1,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "destination": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Route destination. To specify the default route, use 'default' for IPv4 and 'default6' for IPv6.",
+ },
+ "vd": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Name of the Virtual System, Virtual Switch, or Virtual Router.",
+ },
+ "netmask": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Subnet mask for this route.",
+ },
+ "prefix": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "CIDR prefix for this route.",
+ },
+ },
+ },
+ },
+ "remove_vd_interface_params": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: "Parameters for the operation to remove a logical interface from a Virtual Device.",
+ ForceNew: true,
+ MaxItems: 1,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "leads_to": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Virtual Switch or Virtual Router for this interface.",
+ },
+ "name": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Name of the interface.",
+ },
+ "vd": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Name of the Virtual System, Virtual Switch, or Virtual Router.",
+ },
+ },
+ },
+ },
+ "remove_vd_params": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: "Parameters for the operation to remove a Virtual Device.",
+ ForceNew: true,
+ MaxItems: 1,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "vd": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Name of the Virtual System, Virtual Switch, or Virtual Router.",
+ },
+ },
+ },
+ },
+ "remove_vsx_params": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: "Parameters for the operation to remove a VSX Gateway or VSX Cluster.",
+ ForceNew: true,
+ MaxItems: 1,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "vsx_name": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Name of the VSX Gateway or Cluster object.",
+ },
+ },
+ },
+ },
+ "set_physical_interface_params": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: "Parameters for the operation to change the configuration of a physical interface.",
+ ForceNew: true,
+ MaxItems: 1,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "name": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Name of the interface.",
+ },
+ "vlan_trunk": {
+ Type: schema.TypeBool,
+ Optional: true,
+ Description: "True if this interface is a VLAN trunk.",
+ },
+ "vsx_name": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Name of the VSX Gateway or Cluster object.",
+ },
+ },
+ },
+ },
+ "set_vd_interface_params": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: "Parameters for the operation to change the configuration of a logical interface.",
+ ForceNew: true,
+ MaxItems: 1,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "leads_to": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Virtual Switch or Virtual Router for this interface.",
+ },
+ "name": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Name of the interface.",
+ },
+ "vd": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Name of the Virtual System, Virtual Switch, or Virtual Router.",
+ },
+ "anti_spoofing": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "The anti-spoofing enforcement setting of this interface.",
+ },
+ "anti_spoofing_tracking": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "The anti-spoofing tracking setting of this interface.",
+ },
+ "ipv4_address": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "IPv4 Address of this interface with optional CIDR prefix.
Required if this interface belongs to a Virtual System or Virtual Router.",
+ },
+ "ipv6_address": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "IPv6 Address of this interface
Required if this interface belongs to a Virtual System or Virtual Router.",
+ },
+ "mtu": {
+ Type: schema.TypeInt,
+ Optional: true,
+ ForceNew: true,
+ Description: "MTU of this interface.",
+ },
+ "new_leads_to": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "New Virtual Switch or Virtual Router for this interface.",
+ },
+ "propagate": {
+ Type: schema.TypeBool,
+ Optional: true,
+ ForceNew: true,
+ Description: "Propagate IPv4 route to adjacent virtual devices.",
+ Default: false,
+ },
+ "propagate6": {
+ Type: schema.TypeBool,
+ Optional: true,
+ ForceNew: true,
+ Description: "Propagate IPv6 route to adjacent virtual devices.",
+ Default: false,
+ },
+ "specific_group": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Specific group for interface topology.
Only for use with topology option 'internal_specific'.",
+ },
+ "topology": {
+ Type: schema.TypeString,
+ Optional: true,
+ ForceNew: true,
+ Description: "Topology of this interface.
Automatic topology calculation based on routes must be disabled for this VS.",
+ },
+ },
+ },
+ },
+ "set_vd_params": {
+ Type: schema.TypeList,
+ Optional: true,
+ Description: "Parameters for the operation to change the configuration of a Virtual Device.",
+ ForceNew: true,
+ MaxItems: 1,
+ Elem: &schema.Resource{
+ Schema: map[string]*schema.Schema{
+ "vd": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Name of the Virtual System, Virtual Switch, or Virtual Router.",
+ },
+ "calc_topology_auto": {
+ Type: schema.TypeBool,
+ Optional: true,
+ Description: "Calculate interface topology automatically based on routes.
Relevant only for Virtual Systems.
Do not use for virtual devices.",
+ },
+ "ipv4_address": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Main IPv4 Address.
Relevant only if this device is a Virtual System.
Do not use for other virtual devices.",
+ },
+ "ipv4_instances": {
+ Type: schema.TypeInt,
+ Optional: true,
+ Description: "Number of IPv4 instances for the Virtual System.
Must be greater or equal to 1.
Only relevant for Virtual Systems and Virtual Systems in bridge mode.",
+ },
+ "ipv6_address": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Main IPv6 Address.
Relevant only if this device is a Virtual System.
Do not use for other virtual devices.",
+ },
+ "ipv6_instances": {
+ Type: schema.TypeInt,
+ Optional: true,
+ Description: "Number of IPv6 instances for the Virtual System.
Only relevant for Virtual Systems and Virtual Systems in bridge mode.",
+ },
+ "vs_mtu": {
+ Type: schema.TypeInt,
+ Optional: true,
+ Description: "MTU of the Virtual System.
Only relevant for Virtual Systems in bridge mode.
Do not use for other virtual devices.",
+ },
+ },
+ },
+ },
+ },
+ }
+}
+
+func createManagementVsxProvisioningTool(d *schema.ResourceData, m interface{}) error {
+
+ client := m.(*checkpoint.ApiClient)
+
+ var payload = map[string]interface{}{}
+ if v, ok := d.GetOk("operation"); ok {
+ payload["operation"] = v.(string)
+ }
+
+ if _, ok := d.GetOk("add_physical_interface_params"); ok {
+
+ res := make(map[string]interface{})
+
+ if v, ok := d.GetOk("add_physical_interface_params.0.name"); ok {
+ res["name"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_physical_interface_params.0.vsx_name"); ok {
+ res["vsx-name"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_physical_interface_params.0.vlan_trunk"); ok {
+ res["vlan-trunk"] = v
+ }
+ payload["add-physical-interface-params"] = res
+ }
+
+ if _, ok := d.GetOk("add_route_params"); ok {
+
+ res := make(map[string]interface{})
+
+ if v, ok := d.GetOk("add_route_params.0.destination"); ok {
+ res["destination"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_route_params.0.next_hop"); ok {
+ res["next-hop"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_route_params.0.leads_to"); ok {
+ res["leads-to"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_route_params.0.vd"); ok {
+ res["vd"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_route_params.0.netmask"); ok {
+ res["netmask"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_route_params.0.prefix"); ok {
+ res["prefix"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_route_params.0.propagate"); ok {
+ res["propagate"] = v
+ }
+ payload["add-route-params"] = res
+ }
+
+ if _, ok := d.GetOk("add_vd_interface_params"); ok {
+
+ res := make(map[string]interface{})
+
+ if v, ok := d.GetOk("add_vd_interface_params.0.leads_to"); ok {
+ res["leads-to"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_interface_params.0.name"); ok {
+ res["name"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_interface_params.0.vd"); ok {
+ res["vd"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_interface_params.0.anti_spoofing"); ok {
+ res["anti-spoofing"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_interface_params.0.anti_spoofing_tracking"); ok {
+ res["anti-spoofing-tracking"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_interface_params.0.ipv4_address"); ok {
+ res["ipv4-address"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_interface_params.0.ipv4_netmask"); ok {
+ res["ipv4-netmask"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_interface_params.0.ipv4_prefix"); ok {
+ res["ipv4-prefix"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_interface_params.0.ipv6_address"); ok {
+ res["ipv6-address"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_interface_params.0.ipv6_netmask"); ok {
+ res["ipv6-netmask"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_interface_params.0.ipv6_prefix"); ok {
+ res["ipv6-prefix"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_interface_params.0.mtu"); ok {
+ res["mtu"] = v
+ }
+ if v, ok := d.GetOk("add_vd_interface_params.0.propagate"); ok {
+ res["propagate"] = v
+ }
+ if v, ok := d.GetOk("add_vd_interface_params.0.propagate6"); ok {
+ res["propagate6"] = v
+ }
+ if v, ok := d.GetOk("add_vd_interface_params.0.specific_group"); ok {
+ res["specific-group"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_interface_params.0.topology"); ok {
+ res["topology"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_interface_params.0.vti_settings"); ok {
+
+ innerMap := v.([]interface{})[0].(map[string]interface{})
+
+ mapToReturn := make(map[string]interface{})
+
+ if v := innerMap["local_ipv4_address"]; v != nil {
+ mapToReturn["local-ipv4-address"] = v
+ }
+ if v := innerMap["peer_name"]; v != nil {
+ mapToReturn["peer-name"] = v
+ }
+ if v := innerMap["remote_ipv4_address"]; v != nil {
+ mapToReturn["remote-ipv4-address"] = v
+ }
+ if v := innerMap["tunnel_id"]; v != nil {
+ mapToReturn["tunnel-id"] = v
+ }
+ res["vti-settings"] = mapToReturn
+ }
+ payload["add-vd-interface-params"] = res
+ }
+
+ if _, ok := d.GetOk("add_vd_params"); ok {
+
+ res := make(map[string]interface{})
+
+ if v, ok := d.GetOk("add_vd_params.0.interfaces"); ok {
+
+ interfacesList := v.([]interface{})
+
+ var interfacesPayload []map[string]interface{}
+
+ for i := range interfacesList {
+
+ Payload := make(map[string]interface{})
+
+ if v, ok := d.GetOk("add_vd_params.0.interfaces." + strconv.Itoa(i) + ".name"); ok {
+ Payload["name"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_params.0.interfaces." + strconv.Itoa(i) + ".leads_to"); ok {
+ Payload["leads-to"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_params.0.interfaces." + strconv.Itoa(i) + ".anti_spoofing"); ok {
+ Payload["anti-spoofing"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_params.0.interfaces." + strconv.Itoa(i) + ".anti_spoofing_tracking"); ok {
+ Payload["anti-spoofing-tracking"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_params.0.interfaces." + strconv.Itoa(i) + ".ipv4_address"); ok {
+ Payload["ipv4-address"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_params.0.interfaces." + strconv.Itoa(i) + ".ipv4_netmask"); ok {
+ Payload["ipv4-netmask"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_params.0.interfaces." + strconv.Itoa(i) + ".ipv4_prefix"); ok {
+ Payload["ipv4-prefix"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_params.0.interfaces." + strconv.Itoa(i) + ".ipv6_address"); ok {
+ Payload["ipv6-address"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_params.0.interfaces." + strconv.Itoa(i) + ".ipv6_netmask"); ok {
+ Payload["ipv6-netmask"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_params.0.interfaces." + strconv.Itoa(i) + ".ipv6_prefix"); ok {
+ Payload["ipv6-prefix"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_params.0.interfaces." + strconv.Itoa(i) + ".mtu"); ok {
+ Payload["mtu"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_params.0.interfaces." + strconv.Itoa(i) + ".propagate"); ok {
+ Payload["propagate"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_params.0.interfaces." + strconv.Itoa(i) + ".propagate6"); ok {
+ Payload["propagate6"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_params.0.interfaces." + strconv.Itoa(i) + ".specific_group"); ok {
+ Payload["specific-group"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_params.0.interfaces." + strconv.Itoa(i) + ".topology"); ok {
+ Payload["topology"] = v.(string)
+ }
+ interfacesPayload = append(interfacesPayload, Payload)
+ }
+
+ res["interfaces"] = interfacesPayload
+ }
+ if v, ok := d.GetOk("add_vd_params.0.type"); ok {
+ res["type"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_params.0.vd"); ok {
+ res["vd"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_params.0.vsx_name"); ok {
+ res["vsx-name"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_params.0.calc_topology_auto"); ok {
+ res["calc-topology-auto"] = v
+ }
+ if v, ok := d.GetOk("add_vd_params.0.ipv4_address"); ok {
+ res["ipv4-address"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_params.0.ipv4_instances"); ok {
+ res["ipv4-instances"] = v
+ }
+ if v, ok := d.GetOk("add_vd_params.0.ipv6_address"); ok {
+ res["ipv6-address"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_params.0.ipv6_instances"); ok {
+ res["ipv6-instances"] = v
+ }
+ if v, ok := d.GetOk("add_vd_params.0.routes"); ok {
+
+ routesList := v.([]interface{})
+
+ var routesPayload []map[string]interface{}
+
+ for i := range routesList {
+
+ Payload := make(map[string]interface{})
+
+ if v, ok := d.GetOk("add_vd_params.0.routes." + strconv.Itoa(i) + ".destination"); ok {
+ Payload["destination"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_params.0.routes." + strconv.Itoa(i) + ".next_hop"); ok {
+ Payload["next-hop"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_params.0.routes." + strconv.Itoa(i) + ".leads_to"); ok {
+ Payload["leads-to"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_params.0.routes." + strconv.Itoa(i) + ".netmask"); ok {
+ Payload["netmask"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_params.0.routes." + strconv.Itoa(i) + ".prefix"); ok {
+ Payload["prefix"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vd_params.0.routes." + strconv.Itoa(i) + ".propagate"); ok {
+ Payload["propagate"] = v.(string)
+ }
+ routesPayload = append(routesPayload, Payload)
+ }
+ res["routes"] = routesPayload
+ }
+ if v, ok := d.GetOk("add_vd_params.0.vs_mtu"); ok {
+ res["vs-mtu"] = v
+ }
+ payload["add-vd-params"] = res
+ }
+
+ if _, ok := d.GetOk("add_vsx_cluster_params"); ok {
+
+ res := make(map[string]interface{})
+
+ if v, ok := d.GetOk("add_vsx_cluster_params.0.cluster_type"); ok {
+ res["cluster-type"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vsx_cluster_params.0.ipv4_address"); ok {
+ res["ipv4-address"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vsx_cluster_params.0.ipv6_address"); ok {
+ res["ipv6-address"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vsx_cluster_params.0.members"); ok {
+
+ membersList := v.([]interface{})
+
+ if len(membersList) > 0 {
+
+ var membersObjectsPayload []map[string]interface{}
+
+ for i := range membersList {
+
+ memberObject := membersList[i].(map[string]interface{})
+
+ objectPayload := make(map[string]interface{})
+
+ if v := memberObject["ipv4_address"]; v != nil {
+ objectPayload["ipv4-address"] = v
+ }
+ if v := memberObject["ipv6_address"]; v != nil {
+ objectPayload["ipv6-address"] = v
+ }
+ if v := memberObject["name"]; v != nil {
+ objectPayload["name"] = v
+ }
+ if v := memberObject["sic_otp"]; v != nil {
+ objectPayload["sic-otp"] = v
+ }
+ if v := memberObject["sync_ip"]; v != nil {
+ objectPayload["sync-ip"] = v
+ }
+ membersObjectsPayload = append(membersObjectsPayload, objectPayload)
+ }
+ res["members"] = membersObjectsPayload
+ }
+
+ }
+ if v, ok := d.GetOk("add_vsx_cluster_params.0.sync_if_name"); ok {
+ res["sync-if-name"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vsx_cluster_params.0.sync_netmask"); ok {
+ res["sync-netmask"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vsx_cluster_params.0.version"); ok {
+ res["version"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vsx_cluster_params.0.vsx_name"); ok {
+ res["vsx-name"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vsx_cluster_params.0.rule_drop"); ok {
+ res["rule-drop"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vsx_cluster_params.0.rule_https"); ok {
+ res["rule-https"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vsx_cluster_params.0.rule_ping"); ok {
+ res["rule-ping"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vsx_cluster_params.0.rule_ping6"); ok {
+ res["rule-ping6"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vsx_cluster_params.0.rule_snmp"); ok {
+ res["rule-snmp"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vsx_cluster_params.0.rule_ssh"); ok {
+ res["rule-ssh"] = v.(string)
+ }
+ payload["add-vsx-cluster-params"] = res
+ }
+
+ if _, ok := d.GetOk("add_vsx_gateway_params"); ok {
+
+ res := make(map[string]interface{})
+
+ if v, ok := d.GetOk("add_vsx_gateway_params.0.ipv4_address"); ok {
+ res["ipv4-address"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vsx_gateway_params.0.ipv6_address"); ok {
+ res["ipv6-address"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vsx_gateway_params.0.sic_otp"); ok {
+ res["sic-otp"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vsx_gateway_params.0.version"); ok {
+ res["version"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vsx_gateway_params.0.vsx_name"); ok {
+ res["vsx-name"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vsx_gateway_params.0.rule_drop"); ok {
+ res["rule-drop"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vsx_gateway_params.0.rule_https"); ok {
+ res["rule-https"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vsx_gateway_params.0.rule_ping"); ok {
+ res["rule-ping"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vsx_gateway_params.0.rule_ping6"); ok {
+ res["rule-ping6"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vsx_gateway_params.0.rule_snmp"); ok {
+ res["rule-snmp"] = v.(string)
+ }
+ if v, ok := d.GetOk("add_vsx_gateway_params.0.rule_ssh"); ok {
+ res["rule-ssh"] = v.(string)
+ }
+ payload["add-vsx-gateway-params"] = res
+ }
+
+ if _, ok := d.GetOk("attach_bridge_params"); ok {
+
+ res := make(map[string]interface{})
+
+ if v, ok := d.GetOk("attach_bridge_params.0.ifs1"); ok {
+ res["ifs1"] = v.(string)
+ }
+ if v, ok := d.GetOk("attach_bridge_params.0.ifs2"); ok {
+ res["ifs2"] = v.(string)
+ }
+ if v, ok := d.GetOk("attach_bridge_params.0.vd"); ok {
+ res["vd"] = v.(string)
+ }
+ payload["attach-bridge-params"] = res
+ }
+
+ if _, ok := d.GetOk("remove_physical_interface_params"); ok {
+
+ res := make(map[string]interface{})
+
+ if v, ok := d.GetOk("remove_physical_interface_params.0.name"); ok {
+ res["name"] = v.(string)
+ }
+ if v, ok := d.GetOk("remove_physical_interface_params.0.vsx_name"); ok {
+ res["vsx-name"] = v.(string)
+ }
+ payload["remove-physical-interface-params"] = res
+ }
+
+ if _, ok := d.GetOk("remove_route_params"); ok {
+
+ res := make(map[string]interface{})
+
+ if v, ok := d.GetOk("remove_route_params.0.destination"); ok {
+ res["destination"] = v.(string)
+ }
+ if v, ok := d.GetOk("remove_route_params.0.vd"); ok {
+ res["vd"] = v.(string)
+ }
+ if v, ok := d.GetOk("remove_route_params.0.netmask"); ok {
+ res["netmask"] = v.(string)
+ }
+ if v, ok := d.GetOk("remove_route_params.0.prefix"); ok {
+ res["prefix"] = v.(string)
+ }
+ payload["remove-route-params"] = res
+ }
+
+ if _, ok := d.GetOk("remove_vd_interface_params"); ok {
+
+ res := make(map[string]interface{})
+
+ if v, ok := d.GetOk("remove_vd_interface_params.0.leads_to"); ok {
+ res["leads-to"] = v.(string)
+ }
+ if v, ok := d.GetOk("remove_vd_interface_params.0.name"); ok {
+ res["name"] = v.(string)
+ }
+ if v, ok := d.GetOk("remove_vd_interface_params.0.vd"); ok {
+ res["vd"] = v.(string)
+ }
+ payload["remove-vd-interface-params"] = res
+ }
+
+ if _, ok := d.GetOk("remove_vd_params"); ok {
+
+ res := make(map[string]interface{})
+
+ if v, ok := d.GetOk("remove_vd_params.0.vd"); ok {
+ res["vd"] = v.(string)
+ }
+ payload["remove-vd-params"] = res
+ }
+
+ if _, ok := d.GetOk("remove_vsx_params"); ok {
+
+ res := make(map[string]interface{})
+
+ if v, ok := d.GetOk("remove_vsx_params.0.vsx_name"); ok {
+ res["vsx-name"] = v.(string)
+ }
+ payload["remove-vsx-params"] = res
+ }
+
+ if _, ok := d.GetOk("set_physical_interface_params"); ok {
+
+ res := make(map[string]interface{})
+
+ if v, ok := d.GetOk("set_physical_interface_params.0.name"); ok {
+ res["name"] = v.(string)
+ }
+ if v, ok := d.GetOk("set_physical_interface_params.0.vlan_trunk"); ok {
+ res["vlan-trunk"] = v
+ }
+ if v, ok := d.GetOk("set_physical_interface_params.0.vsx_name"); ok {
+ res["vsx-name"] = v.(string)
+ }
+ payload["set-physical-interface-params"] = res
+ }
+
+ if _, ok := d.GetOk("set_vd_interface_params"); ok {
+
+ res := make(map[string]interface{})
+
+ if v, ok := d.GetOk("set_vd_interface_params.0.leads_to"); ok {
+ res["leads-to"] = v.(string)
+ }
+ if v, ok := d.GetOk("set_vd_interface_params.0.name"); ok {
+ res["name"] = v.(string)
+ }
+ if v, ok := d.GetOk("set_vd_interface_params.0.vd"); ok {
+ res["vd"] = v.(string)
+ }
+ if v, ok := d.GetOk("set_vd_interface_params.0.anti_spoofing"); ok {
+ res["anti-spoofing"] = v.(string)
+ }
+ if v, ok := d.GetOk("set_vd_interface_params.0.anti_spoofing_tracking"); ok {
+ res["anti-spoofing-tracking"] = v.(string)
+ }
+ if v, ok := d.GetOk("set_vd_interface_params.0.ipv4_address"); ok {
+ res["ipv4-address"] = v.(string)
+ }
+ if v, ok := d.GetOk("set_vd_interface_params.0.ipv6_address"); ok {
+ res["ipv6-address"] = v.(string)
+ }
+ if v, ok := d.GetOk("set_vd_interface_params.0.mtu"); ok {
+ res["mtu"] = v
+ }
+ if v, ok := d.GetOk("set_vd_interface_params.0.new_leads_to"); ok {
+ res["new-leads-to"] = v.(string)
+ }
+ if v, ok := d.GetOk("set_vd_interface_params.0.propagate"); ok {
+ res["propagate"] = v
+ }
+ if v, ok := d.GetOk("set_vd_interface_params.0.propagate6"); ok {
+ res["propagate6"] = v
+ }
+ if v, ok := d.GetOk("set_vd_interface_params.0.specific_group"); ok {
+ res["specific-group"] = v.(string)
+ }
+ if v, ok := d.GetOk("set_vd_interface_params.0.topology"); ok {
+ res["topology"] = v.(string)
+ }
+ payload["set-vd-interface-params"] = res
+ }
+
+ if _, ok := d.GetOk("set_vd_params"); ok {
+
+ res := make(map[string]interface{})
+
+ if v, ok := d.GetOk("set_vd_params.0.vd"); ok {
+ res["vd"] = v
+ }
+ if v, ok := d.GetOk("set_vd_params.0.calc_topology_auto"); ok {
+ res["calc-topology-auto"] = v
+ }
+ if v, ok := d.GetOk("set_vd_params.0.ipv4_address"); ok {
+ res["ipv4-address"] = v
+ }
+ if v, ok := d.GetOk("set_vd_params.0.ipv4_instances"); ok {
+ res["ipv4-instances"] = v
+ }
+ if v, ok := d.GetOk("set_vd_params.0.ipv6_address"); ok {
+ res["ipv6-address"] = v.(string)
+ }
+ if v, ok := d.GetOk("set_vd_params.0.ipv6_instances"); ok {
+ res["ipv6-instances"] = v
+ }
+ if v, ok := d.GetOk("set_vd_params.0.vs_mtu"); ok {
+ res["vs-mtu"] = v
+ }
+ payload["set-vd-params"] = res
+ }
+
+ VsxProvisioningToolRes, _ := client.ApiCall("vsx-provisioning-tool", payload, client.GetSessionID(), true, false)
+ if !VsxProvisioningToolRes.Success {
+ return fmt.Errorf(VsxProvisioningToolRes.ErrorMsg)
+ }
+
+ d.SetId("vsx-provisioning-tool-" + acctest.RandString(10))
+ log.Println("result is ", VsxProvisioningToolRes)
+ _ = d.Set("task_id", resolveTaskId(VsxProvisioningToolRes.GetData()))
+ return readManagementVsxProvisioningTool(d, m)
+}
+
+func readManagementVsxProvisioningTool(d *schema.ResourceData, m interface{}) error {
+
+ return nil
+}
+
+func deleteManagementVsxProvisioningTool(d *schema.ResourceData, m interface{}) error {
+
+ d.SetId("")
+ return nil
+}
diff --git a/checkpoint/resource_checkpoint_management_outbound_inspection_certificate.go b/checkpoint/resource_checkpoint_management_outbound_inspection_certificate.go
new file mode 100644
index 00000000..3eaeb09c
--- /dev/null
+++ b/checkpoint/resource_checkpoint_management_outbound_inspection_certificate.go
@@ -0,0 +1,343 @@
+package checkpoint
+
+import (
+ "fmt"
+ checkpoint "github.com/CheckPointSW/cp-mgmt-api-go-sdk/APIFiles"
+ "github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+ "log"
+)
+
+func resourceManagementOutboundInspectionCertificate() *schema.Resource {
+ return &schema.Resource{
+ Create: createManagementOutboundInspectionCertificate,
+ Read: readManagementOutboundInspectionCertificate,
+ Update: updateManagementOutboundInspectionCertificate,
+ Delete: deleteManagementOutboundInspectionCertificate,
+ Schema: map[string]*schema.Schema{
+ "name": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Object name.",
+ },
+ "issued_by": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: "The DN (Distinguished Name) of the certificate.",
+ },
+ "base64_password": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: "Password (encoded in Base64 with padding) for the certificate file.",
+ },
+ "base64_certificate": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Password (encoded in Base64 with padding) for the certificate file.",
+ },
+ "base64_public_certificate": {
+ Type: schema.TypeString,
+ Computed: true,
+ Description: "Password (encoded in Base64 with padding) for the certificate file.",
+ },
+ "valid_from": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: "The date, from which the certificate is valid. Format: YYYY-MM-DD.",
+ },
+ "valid_to": {
+ Type: schema.TypeString,
+ Required: true,
+ Description: "The certificate expiration date. Format: YYYY-MM-DD.",
+ },
+ "is_default": {
+ Type: schema.TypeBool,
+ Optional: true,
+ Description: "Is the certificate the default certificate.",
+ },
+ "tags": {
+ Type: schema.TypeSet,
+ Optional: true,
+ Description: "Collection of tag identifiers.",
+ Elem: &schema.Schema{
+ Type: schema.TypeString,
+ },
+ },
+ "color": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Color of the object. Should be one of existing colors.",
+ Default: "black",
+ },
+ "comments": {
+ Type: schema.TypeString,
+ Optional: true,
+ Description: "Comments string.",
+ },
+ "ignore_warnings": {
+ Type: schema.TypeBool,
+ Optional: true,
+ Description: "Apply changes ignoring warnings.",
+ Default: false,
+ },
+ "ignore_errors": {
+ Type: schema.TypeBool,
+ Optional: true,
+ Description: "Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.",
+ Default: false,
+ },
+ },
+ }
+}
+
+func createManagementOutboundInspectionCertificate(d *schema.ResourceData, m interface{}) error {
+ client := m.(*checkpoint.ApiClient)
+
+ outboundInspectionCertificate := make(map[string]interface{})
+
+ if v, ok := d.GetOk("name"); ok {
+ outboundInspectionCertificate["name"] = v.(string)
+ }
+
+ if v, ok := d.GetOk("issued_by"); ok {
+ outboundInspectionCertificate["issued-by"] = v.(string)
+ }
+
+ if v, ok := d.GetOk("base64_password"); ok {
+ outboundInspectionCertificate["base64-password"] = v.(string)
+ }
+
+ if v, ok := d.GetOk("valid_from"); ok {
+ outboundInspectionCertificate["valid-from"] = v.(string)
+ }
+
+ if v, ok := d.GetOk("valid_to"); ok {
+ outboundInspectionCertificate["valid-to"] = v.(string)
+ }
+
+ if v, ok := d.GetOkExists("is_default"); ok {
+ outboundInspectionCertificate["is-default"] = v.(bool)
+ }
+
+ if v, ok := d.GetOk("tags"); ok {
+ outboundInspectionCertificate["tags"] = v.(*schema.Set).List()
+ }
+
+ if v, ok := d.GetOk("color"); ok {
+ outboundInspectionCertificate["color"] = v.(string)
+ }
+
+ if v, ok := d.GetOk("comments"); ok {
+ outboundInspectionCertificate["comments"] = v.(string)
+ }
+
+ if v, ok := d.GetOkExists("ignore_warnings"); ok {
+ outboundInspectionCertificate["ignore-warnings"] = v.(bool)
+ }
+
+ if v, ok := d.GetOkExists("ignore_errors"); ok {
+ outboundInspectionCertificate["ignore-errors"] = v.(bool)
+ }
+
+ log.Println("Create OutboundInspectionCertificate - Map = ", outboundInspectionCertificate)
+
+ addOutboundInspectionCertificateRes, err := client.ApiCall("add-outbound-inspection-certificate", outboundInspectionCertificate, client.GetSessionID(), true, false)
+ if err != nil || !addOutboundInspectionCertificateRes.Success {
+ if addOutboundInspectionCertificateRes.ErrorMsg != "" {
+ return fmt.Errorf(addOutboundInspectionCertificateRes.ErrorMsg)
+ }
+ return fmt.Errorf(err.Error())
+ }
+
+ d.SetId(addOutboundInspectionCertificateRes.GetData()["uid"].(string))
+
+ return readManagementOutboundInspectionCertificate(d, m)
+}
+
+func readManagementOutboundInspectionCertificate(d *schema.ResourceData, m interface{}) error {
+
+ client := m.(*checkpoint.ApiClient)
+
+ payload := map[string]interface{}{
+ "uid": d.Id(),
+ }
+
+ showOutboundInspectionCertificateRes, err := client.ApiCall("show-outbound-inspection-certificate", payload, client.GetSessionID(), true, false)
+ if err != nil {
+ return fmt.Errorf(err.Error())
+ }
+ if !showOutboundInspectionCertificateRes.Success {
+ if objectNotFound(showOutboundInspectionCertificateRes.GetData()["code"].(string)) {
+ d.SetId("")
+ return nil
+ }
+ return fmt.Errorf(showOutboundInspectionCertificateRes.ErrorMsg)
+ }
+
+ outboundInspectionCertificate := showOutboundInspectionCertificateRes.GetData()
+
+ log.Println("Read OutboundInspectionCertificate - Show JSON = ", outboundInspectionCertificate)
+
+ if v := outboundInspectionCertificate["name"]; v != nil {
+ _ = d.Set("name", v)
+ }
+
+ if v := outboundInspectionCertificate["issued-by"]; v != nil {
+ _ = d.Set("issued_by", removeCnPrefix(v.(string)))
+ }
+
+ if v := outboundInspectionCertificate["base64-certificate"]; v != nil {
+ _ = d.Set("base64_certificate", v)
+ }
+
+ if v := outboundInspectionCertificate["base64-public-certificate"]; v != nil {
+ _ = d.Set("base64_public_certificate", v)
+ }
+
+ if v := outboundInspectionCertificate["valid-from"]; v != nil {
+ dateStr, err := convertDateFormat(v.(string))
+ if err != nil {
+ return fmt.Errorf("failed to convert the value %s from field valid-from to format yyyy-mm-dd ", v)
+ }
+ _ = d.Set("valid_from", dateStr)
+ }
+
+ if v := outboundInspectionCertificate["valid-to"]; v != nil {
+ dateStr, err := convertDateFormat(v.(string))
+ if err != nil {
+ return fmt.Errorf("failed to convert the value %s from field valid-to to format yyyy-mm-dd ", v)
+ }
+ _ = d.Set("valid_to", dateStr)
+ }
+
+ if v := outboundInspectionCertificate["is-default"]; v != nil {
+ _ = d.Set("is_default", v)
+ }
+
+ if outboundInspectionCertificate["tags"] != nil {
+ tagsJson, ok := outboundInspectionCertificate["tags"].([]interface{})
+ if ok {
+ tagsIds := make([]string, 0)
+ if len(tagsJson) > 0 {
+ for _, tags := range tagsJson {
+ tags := tags.(map[string]interface{})
+ tagsIds = append(tagsIds, tags["name"].(string))
+ }
+ }
+ _ = d.Set("tags", tagsIds)
+ }
+ } else {
+ _ = d.Set("tags", nil)
+ }
+
+ if v := outboundInspectionCertificate["color"]; v != nil {
+ _ = d.Set("color", v)
+ }
+
+ if v := outboundInspectionCertificate["comments"]; v != nil {
+ _ = d.Set("comments", v)
+ }
+
+ if v := outboundInspectionCertificate["ignore-warnings"]; v != nil {
+ _ = d.Set("ignore_warnings", v)
+ }
+
+ if v := outboundInspectionCertificate["ignore-errors"]; v != nil {
+ _ = d.Set("ignore_errors", v)
+ }
+
+ return nil
+
+}
+
+func updateManagementOutboundInspectionCertificate(d *schema.ResourceData, m interface{}) error {
+
+ client := m.(*checkpoint.ApiClient)
+ outboundInspectionCertificate := make(map[string]interface{})
+
+ if ok := d.HasChange("name"); ok {
+ oldName, newName := d.GetChange("name")
+ outboundInspectionCertificate["name"] = oldName
+ outboundInspectionCertificate["new-name"] = newName
+ } else {
+ outboundInspectionCertificate["name"] = d.Get("name")
+ }
+
+ if ok := d.HasChange("issued_by"); ok {
+ outboundInspectionCertificate["issued-by"] = d.Get("issued_by")
+ }
+
+ if ok := d.HasChange("base64_password"); ok {
+ outboundInspectionCertificate["base64-password"] = d.Get("base64_password")
+ }
+
+ if ok := d.HasChange("valid_from"); ok {
+ outboundInspectionCertificate["valid-from"] = d.Get("valid_from")
+ }
+
+ if ok := d.HasChange("valid_to"); ok {
+ outboundInspectionCertificate["valid-to"] = d.Get("valid_to")
+ }
+
+ if v, ok := d.GetOkExists("is_default"); ok {
+ outboundInspectionCertificate["is-default"] = v.(bool)
+ }
+
+ if d.HasChange("tags") {
+ if v, ok := d.GetOk("tags"); ok {
+ outboundInspectionCertificate["tags"] = v.(*schema.Set).List()
+ } else {
+ oldTags, _ := d.GetChange("tags")
+ outboundInspectionCertificate["tags"] = map[string]interface{}{"remove": oldTags.(*schema.Set).List()}
+ }
+ }
+
+ if ok := d.HasChange("color"); ok {
+ outboundInspectionCertificate["color"] = d.Get("color")
+ }
+
+ if ok := d.HasChange("comments"); ok {
+ outboundInspectionCertificate["comments"] = d.Get("comments")
+ }
+
+ if v, ok := d.GetOkExists("ignore_warnings"); ok {
+ outboundInspectionCertificate["ignore-warnings"] = v.(bool)
+ }
+
+ if v, ok := d.GetOkExists("ignore_errors"); ok {
+ outboundInspectionCertificate["ignore-errors"] = v.(bool)
+ }
+
+ log.Println("Update OutboundInspectionCertificate - Map = ", outboundInspectionCertificate)
+
+ updateOutboundInspectionCertificateRes, err := client.ApiCall("set-outbound-inspection-certificate", outboundInspectionCertificate, client.GetSessionID(), true, false)
+ if err != nil || !updateOutboundInspectionCertificateRes.Success {
+ if updateOutboundInspectionCertificateRes.ErrorMsg != "" {
+ return fmt.Errorf(updateOutboundInspectionCertificateRes.ErrorMsg)
+ }
+ return fmt.Errorf(err.Error())
+ }
+
+ return readManagementOutboundInspectionCertificate(d, m)
+}
+
+func deleteManagementOutboundInspectionCertificate(d *schema.ResourceData, m interface{}) error {
+
+ client := m.(*checkpoint.ApiClient)
+
+ outboundInspectionCertificatePayload := map[string]interface{}{
+ "uid": d.Id(),
+ }
+
+ log.Println("Delete OutboundInspectionCertificate")
+
+ deleteOutboundInspectionCertificateRes, err := client.ApiCall("delete-outbound-inspection-certificate", outboundInspectionCertificatePayload, client.GetSessionID(), true, false)
+ if err != nil || !deleteOutboundInspectionCertificateRes.Success {
+ if deleteOutboundInspectionCertificateRes.ErrorMsg != "" {
+ return fmt.Errorf(deleteOutboundInspectionCertificateRes.ErrorMsg)
+ }
+ return fmt.Errorf(err.Error())
+ }
+ d.SetId("")
+
+ return nil
+}
diff --git a/checkpoint/resource_checkpoint_management_outbound_inspection_certificate_test.go b/checkpoint/resource_checkpoint_management_outbound_inspection_certificate_test.go
new file mode 100644
index 00000000..29deca9c
--- /dev/null
+++ b/checkpoint/resource_checkpoint_management_outbound_inspection_certificate_test.go
@@ -0,0 +1,108 @@
+package checkpoint
+
+import (
+ "fmt"
+ checkpoint "github.com/CheckPointSW/cp-mgmt-api-go-sdk/APIFiles"
+ "github.com/hashicorp/terraform-plugin-sdk/helper/acctest"
+ "github.com/hashicorp/terraform-plugin-sdk/helper/resource"
+ "github.com/hashicorp/terraform-plugin-sdk/terraform"
+ "os"
+ "strings"
+ "testing"
+)
+
+func TestAccCheckpointManagementOutboundInspectionCertificate_basic(t *testing.T) {
+
+ var outboundInspectionCertificateMap map[string]interface{}
+ resourceName := "checkpoint_management_outbound_inspection_certificate.test"
+ objName := "tfTestManagementOutboundInspectionCertificate_" + acctest.RandString(6)
+
+ context := os.Getenv("CHECKPOINT_CONTEXT")
+ if context != "web_api" {
+ t.Skip("Skipping management test")
+ } else if context == "" {
+ t.Skip("Env CHECKPOINT_CONTEXT must be specified to run this acc test")
+ }
+
+ resource.Test(t, resource.TestCase{
+ PreCheck: func() { testAccPreCheck(t) },
+ Providers: testAccProviders,
+ CheckDestroy: testAccCheckpointManagementOutboundInspectionCertificateDestroy,
+ Steps: []resource.TestStep{
+ {
+ Config: testAccManagementOutboundInspectionCertificateConfig(objName),
+ Check: resource.ComposeTestCheckFunc(
+ testAccCheckCheckpointManagementOutboundInspectionCertificateExists(resourceName, &outboundInspectionCertificateMap),
+ testAccCheckCheckpointManagementOutboundInspectionCertificateAttributes(&outboundInspectionCertificateMap, objName),
+ ),
+ },
+ },
+ })
+}
+
+func testAccCheckpointManagementOutboundInspectionCertificateDestroy(s *terraform.State) error {
+
+ client := testAccProvider.Meta().(*checkpoint.ApiClient)
+ for _, rs := range s.RootModule().Resources {
+ if rs.Type != "checkpoint_management_outbound_inspection_certificate" {
+ continue
+ }
+ if rs.Primary.ID != "" {
+ res, _ := client.ApiCall("show-outbound-inspection-certificate", map[string]interface{}{"uid": rs.Primary.ID}, client.GetSessionID(), true, false)
+ if res.Success {
+ return fmt.Errorf("OutboundInspectionCertificate object (%s) still exists", rs.Primary.ID)
+ }
+ }
+ return nil
+ }
+ return nil
+}
+
+func testAccCheckCheckpointManagementOutboundInspectionCertificateExists(resourceTfName string, res *map[string]interface{}) resource.TestCheckFunc {
+ return func(s *terraform.State) error {
+
+ rs, ok := s.RootModule().Resources[resourceTfName]
+ if !ok {
+ return fmt.Errorf("Resource not found: %s", resourceTfName)
+ }
+
+ if rs.Primary.ID == "" {
+ return fmt.Errorf("OutboundInspectionCertificate ID is not set")
+ }
+
+ client := testAccProvider.Meta().(*checkpoint.ApiClient)
+
+ response, err := client.ApiCall("show-outbound-inspection-certificate", map[string]interface{}{"uid": rs.Primary.ID}, client.GetSessionID(), true, false)
+ if !response.Success {
+ return err
+ }
+
+ *res = response.GetData()
+
+ return nil
+ }
+}
+
+func testAccCheckCheckpointManagementOutboundInspectionCertificateAttributes(outboundInspectionCertificateMap *map[string]interface{}, name string) resource.TestCheckFunc {
+ return func(s *terraform.State) error {
+
+ outboundInspectionCertificateName := (*outboundInspectionCertificateMap)["name"].(string)
+ if !strings.EqualFold(outboundInspectionCertificateName, name) {
+ return fmt.Errorf("name is %s, expected %s", name, outboundInspectionCertificateName)
+ }
+
+ return nil
+ }
+}
+
+func testAccManagementOutboundInspectionCertificateConfig(name string) string {
+ return fmt.Sprintf(`
+resource "checkpoint_management_outbound_inspection_certificate" "test" {
+ name = "%s"
+ issued_by = "www.checkpoint.com"
+ base64_password = "bXlfcGFzc3dvcmQ="
+ valid_from = "2021-04-17"
+ valid_to = "2028-04-17"
+}
+`, name)
+}
diff --git a/checkpoint/utils.go b/checkpoint/utils.go
index b8797735..9bd18e2a 100644
--- a/checkpoint/utils.go
+++ b/checkpoint/utils.go
@@ -8,6 +8,7 @@ import (
"io/ioutil"
"os"
"strings"
+ "time"
)
//var lock sync.Mutex
@@ -199,3 +200,25 @@ func cleanseCertificate(cert string) string {
return cert
}
+
+func removeCnPrefix(issueBy string) string {
+
+ issueBy = strings.TrimPrefix(issueBy, "CN=")
+ return issueBy
+
+}
+
+func convertDateFormat(dateStr string) (string, error) {
+ inputLayout := "02-Jan-06"
+ outputLayout := "2006-01-02"
+
+ // Parse the input date string using the input layout
+ t, err := time.Parse(inputLayout, dateStr)
+ if err != nil {
+ fmt.Println("Error:", err)
+ return "", err
+ }
+
+ // Format the parsed time using the output layout
+ return t.Format(outputLayout), nil
+}
diff --git a/website/checkpoint.erb b/website/checkpoint.erb
index e2077f2a..500965d9 100644
--- a/website/checkpoint.erb
+++ b/website/checkpoint.erb
@@ -640,6 +640,27 @@
>
checkpoint_management_delete_infinity_idp_object
+ >
+ checkpoint_management_run_trusted_ca_update
+
+ >
+ checkpoint_management_set_gateway_global_use
+
+ >
+ checkpoint_management_set_https_advanced_settings
+
+ >
+ checkpoint_management_add_custom_trusted_ca_certificate
+
+ >
+ checkpoint_management_delete_custom_trusted_ca_certificate
+
+ >
+ checkpoint_management_outbound_inspection_certificate
+
+ >
+ checkpoint_management_vsx_provisioning_tool
+
@@ -1162,6 +1183,21 @@
>
checkpoint_management_infinity_idp_object
+ >
+ checkpoint_management_gateway_capabilities
+
+ >
+ checkpoint_management_gateway_global_use
+
+ >
+ checkpoint_management_https_advanced_settings
+
+ >
+ checkpoint_management_outbound_inspection_certificate
+
+ >
+ checkpoint_management_custom_trusted_ca_certificate
+
diff --git a/website/docs/d/checkpoint_management_custom_trusted_ca_certificate.html.markdown b/website/docs/d/checkpoint_management_custom_trusted_ca_certificate.html.markdown
new file mode 100644
index 00000000..9c68e9f4
--- /dev/null
+++ b/website/docs/d/checkpoint_management_custom_trusted_ca_certificate.html.markdown
@@ -0,0 +1,53 @@
+---
+layout: "checkpoint"
+page_title: "checkpoint_management_add_custom_trusted_ca_certificate"
+sidebar_current: "docs-checkpoint-data-source-checkpoint-management-add-custom-trusted-ca-certificate"
+description: |-
+Use this data source to get information on an existing Check Point Custom Trusted Ca Certificate.
+---
+
+# checkpoint_management_add_custom_trusted_ca_certificate
+
+Use this data source to get information on an existing Check Point Custom Trusted Ca Certificate.
+
+## Example Usage
+
+
+```hcl
+resource "checkpoint_management_add_custom_trusted_ca_certificate" "example" {
+ base64_certificate = "MIIEkzCCAnugAwIBAgIVAO5SRZQELwNNhWF+8st6ox9uXYgeMA0GCSqGSIb3DQEBCwUAMIGrMQswCQYDVQQGEwJJTDEPMA0GA1UECBMGSXNyYWVsMS4wLAYDVQQKEyVDaGVja1BvaW50IFNvZnR3YXJlIFRlY2hub2xvZ2llcyBMVEQuMQwwCgYDVQQLEwNNSVMxIjAgBgNVBAMTGUNoZWNrUG9pbnQtU1NMLUluc3BlY3Rpb24xKTAnBgkqhkiG9w0BCQEWGmlsX3NlY3VyaXR5QGNoZWNrcG9pbnQuY29tMB4XDTIzMDMxMzAwMDAwMFoXDTIzMDYxMTIzNTk1OVowbzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEzARBgNVBAcTCk1lbmxvIFBhcmsxHTAbBgNVBAoTFE1ldGEgUGxhdGZvcm1zLCBJbmMuMRcwFQYDVQQDDA4qLndoYXRzYXBwLm5ldDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPjo05vRHAJYYWx55SOu2b1ZIQPOOtJNipSBXf1BFBDQhrkp20YTA296MzKii2j3TgVi/1t44cW5mD1RWobfAQujgbMwgbAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHQGA1UdEQRtMGuCDioud2hhdHNhcHAubmV0ghIqLmNkbi53aGF0c2FwcC5uZXSCEiouc25yLndoYXRzYXBwLm5ldIIOKi53aGF0c2FwcC5jb22CBXdhLm1lggx3aGF0c2FwcC5jb22CDHdoYXRzYXBwLm5ldDAOBgNVHQ8BAf8EBAMCBaAwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAA/sIadLr9ahEVq8h9HuofHODUuzxVFulAZu8uSiyY4ACbaHcvm36MYQCzYV56t4fe+I++ls8KAESZgdE0KoD5/6efzK05Ufok+y15QexAR5AxZlJqtoHIuc7iOolPbkLW77GKrbgfEgmwOCX9/86Pug4ZSrrBUPPt9i3accNkAP+SH9Lft1geS2E/q+xcRhbhDcYTYD56X0MiEv0UaAzwS3adWAZbD7R42u+xNCpX8iUyiwp2UvMf0l/+Q8CAtw4D5s/8hD7Vqvrv4H/ZfV7SrZ+rPrihi01t6LlcpZ2YMucX/tSgDzkjYWmT26V2OgRklM0aQWvHD3DVpghIJfI2swAAJJ5wvqwcJeAWHAQb3aQZgHXjGF/LyBYCQsohTHUL7rhL8CxNlDTNhN2e+NRFGYGer157RCmM8xKroe3/X9pYifbzyEWInqQ+ycmLsQyAd7pPW+W1K1tlk9Niqk3dNQ10daYGau3IPWF5+iHtOlWjLcQrSj60Uv7Ebi0E+bOe0tDabunCj6SEauGFxeJhM9xUZnOwb5wqIt+uGqPQ9WRJLehqwdFhiWOqwUfNcksn7l0M6e9Mnkh1J2kGxamQ0bvK7ftpm5O8MTAft0y882IfC++Zuk4gLhQoeE3s6877/rrHRJB/H8ZUaaBxAi2qH0NZ+ParXUxOkil5rVgFqI="
+}
+data "checkpoint_management_custom_trusted_ca_certificate" "data" {
+ uid = "${checkpoint_management_add_custom_trusted_ca_certificate.example.id}"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+
+* `name` - (Optional) Object name.
+* `uid` - (Optional) Object unique identifier.
+* `added_by` - By whom the certificate was added.
+* `base64_certificate` - Certificate file encoded in base64.
Valid file formats: x509.
+* `issued_by` - Trusted CA certificate issued by.
+* `issued_to` - Trusted CA certificate issued to.
+* `tags` - Collection of tag identifiers.
+* `valid_from` - Trusted CA certificate valid from date.
+* `valid_to` - Trusted CA certificate valid to date.
+
+`valid_from` supports the following:
+* `iso_8601` - Date and time represented in international ISO 8601 format.
+* `posix` - Number of milliseconds that have elapsed since 00:00:00, 1 January 1970
+
+`valid_to` supports the following:
+* `iso_8601` - Date and time represented in international ISO 8601 format.
+* `posix` - Number of milliseconds that have elapsed since 00:00:00, 1 January 1970
+
+
+
+## How To Use
+Make sure this command will be executed in the right execution order.
+note: terraform execution is not sequential.
+
diff --git a/website/docs/d/checkpoint_management_gateway_capabilities.html.markdown b/website/docs/d/checkpoint_management_gateway_capabilities.html.markdown
new file mode 100644
index 00000000..cf376be7
--- /dev/null
+++ b/website/docs/d/checkpoint_management_gateway_capabilities.html.markdown
@@ -0,0 +1,103 @@
+---
+layout: "checkpoint"
+page_title: "checkpoint_management_gateway_capabilities"
+sidebar_current: "docs-checkpoint-data-source-checkpoint-management-gateway_capabilities"
+description: |-
+Use this data source to get information on an existing Check Point Gateway Capabilities.
+---
+
+# checkpoint_management_gateway_capabilities
+
+Use this data source to get information on an existing Check Point Gateway Capabilities.
+
+## Example Usage
+
+
+```hcl
+data "checkpoint_management_gateway_capabilities" "data" {
+ hardware = "CloudGuard IaaS"
+ platform = "other"
+ version = "R82"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `hardware` - (Optional) Check Point hardware.
+* `platform` - (Optional) Check Point gateway platform.
+* `version` - (Optional) Gateway platform version.
+* `restrictions` - Set of restrictions.
+* `supported_blades` - Supported blades according to restrictions.
+* `supported_firmware_platforms` - Supported firmware platforms according to restrictions.
+* `supported_hardware` - Supported hardware according to restrictions.
+* `supported_platforms` - Supported platforms according to restrictions.
+* `supported_versions` - Supported versions according to restrictions.
+
+`restrictions` supports the following:
+
+* `hardware` - Check Point hardware.
+* `platform` - Check Point gateway platform.
+* `version` - Gateway platform version.
+
+`supported_blades` supports the following:
+
+* `management` - Management blades.
+* `network_security` - Network Security blades.
+* `threat_prevention` - Threat Prevention blades.
+
+`management` supports the following:
+
+* `default` - N/A
+* `name` - N/A
+* `readonly` - N/A
+
+`network_security` supports the following:
+
+* `default` - N/A
+* `name` - N/A
+* `readonly` - N/A
+
+`threat_prevention` supports the following:
+
+* `autonomous` - N/A
+* `custom` - N/A
+
+`autonomous` supports the following:
+
+* `default` - N/A
+* `name` - N/A
+* `readonly` - N/A
+
+`custom` supports the following:
+
+* `default` - N/A
+* `name` - N/A
+* `readonly` - N/A
+* `readonly` - N/A
+
+`supported_firmware_platforms` supports the following:
+
+* `default` - Default gateway firmware platform.
+* `firmwarePlatforms` - List of gateway firmware platforms.
+
+`supported_hardware` supports the following:
+
+* `default` - Default hardware.
+* `hardware`- List of Check Point hardware.
+
+`supported_platforms` supports the following:
+
+* `default` - Default platform.
+* `platforms`- List of Check Point gateway platforms.
+
+`supported_versions` supports the following:
+
+* `default` - Default gateway platform version.
+* `versions`- List of gateway platform versions.
+
+## How To Use
+Make sure this command will be executed in the right execution order.
+note: terraform execution is not sequential.
+
diff --git a/website/docs/d/checkpoint_management_gateway_global_use.html.markdown b/website/docs/d/checkpoint_management_gateway_global_use.html.markdown
new file mode 100644
index 00000000..f810df1e
--- /dev/null
+++ b/website/docs/d/checkpoint_management_gateway_global_use.html.markdown
@@ -0,0 +1,46 @@
+---
+layout: "checkpoint"
+page_title: "checkpoint_managemen_gateway_global_use"
+sidebar_current: "docs-checkpoint-data-source-checkpoint-management-gateway-global-use"
+description: |-
+Use this data source to get information on an existing Check Point Set Gateway Global Use.
+---
+
+# checkpoint_management_set_gateway_global_use
+
+Use this data source to get information on an existing Check Point Set Gateway Global Use.
+
+## Example Usage
+
+
+```hcl
+resource "checkpoint_management_set_gateway_global_use" "example" {
+ target = "vpn_gw"
+ enabled = true
+}
+data "checkpoint_management_gateway_global_use" "data" {
+ target = "${checkpoint_management_set_gateway_global_use.example.target}"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `target` - (Required) On what target to execute this command. Target may be identified by its object name, or object unique identifier.
+* `enabled` - Indicates whether global use is enabled on the target.
+* `uid` - Object Identifier.
+* `name` - Object Name.
+* `domain` - data about doamin
+
+`domain` supports the following:
+
+* `uid` - Object Identifier.
+* `name` - Object Name.
+* `domain_type` - domain type.
+
+
+## How To Use
+Make sure this command will be executed in the right execution order.
+note: terraform execution is not sequential.
+
diff --git a/website/docs/d/checkpoint_management_https_advanced_settings.html.markdown b/website/docs/d/checkpoint_management_https_advanced_settings.html.markdown
new file mode 100644
index 00000000..c08000f5
--- /dev/null
+++ b/website/docs/d/checkpoint_management_https_advanced_settings.html.markdown
@@ -0,0 +1,92 @@
+---
+layout: "checkpoint"
+page_title: "checkpoint_management_https_advanced_settings"
+sidebar_current: "docs-checkpoint-data-source-checkpoint-management-https-advanced-settings"
+description: |-
+Use this data source to get information on an existing Check Point Https Advanced Settings.
+---
+
+# Data Source:checkpoint_management_https_advanced_settings
+
+Use this data source to get information on an existing Check Point Https Advanced Settings.
+
+## Example Usage
+
+
+```hcl
+resource "checkpoint_management_set_https_advanced_settings" "example" {
+ bypass_on_failure = false
+ bypass_on_client_failure = false
+ site_categorization_allow_mode = "background"
+ blocked_certificate_tracking = "popup alert"
+ bypass_update_services = true
+ certificate_pinned_apps_action = "bypass"
+ log_sessions = true
+ retrieve_intermediate_ca_certificates = true
+ server_certificate_validation_actions = {
+ block_expired = true
+ block_revoked = false
+ block_untrusted = true
+ track_errors = "log"
+ }
+ blocked_certificates {
+ name = "BlackListed_A71D5266-7EF0-42CF-AE9C-409CD4093879"
+ cert_serial_number = "3e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71"
+ comments = "login.yahoo.com"
+ }
+ blocked_certificates {
+ name = "BlackListed_A2B37A3D-53F9-4A24-AD09-D96272CA1710"
+ cert_serial_number = "00:d7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3"
+ comments = "*.EGO.GOV.TR"
+ }
+}
+
+data "checkpoint_management_https_advanced_settings" "data" {
+ depends_on = [checkpoint_management_set_https_advanced_settings.example]
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+* `uid` - Object unique identifier.
+* `bypass_on_client_failure` - Whether all requests should be bypassed or blocked-in case of client errors (Client closes the connection due to authentication issues during handshake)
- true - Fail-open (bypass all requests).
- false - Fail-close (block all requests.
The default value is true.
+* `bypass_on_failure` - Whether all requests should be bypassed or blocked-in case of server errors (for example validation error during GW-Server authentication)
- true - Fail-open (bypass all requests).
- false - Fail-close (block all requests.
The default value is true.
+* `bypass_under_load` - Bypass the HTTPS Inspection temporarily to improve connectivity during a heavy load on the Security Gateway. The HTTPS Inspection would resume as soon as the load decreases.bypass_under_load blocks are documented below.
+* `site_categorization_allow_mode` - Whether all requests should be allowed or blocked until categorization is complete.
- Background - to allow requests until categorization is complete.
- Hold- to block requests until categorization is complete.
The default value is hold.
+* `server_certificate_validation_actions` - When a Security Gateway receives an untrusted certificate from a website server, define when to drop the connection and how to track it.server_certificate_validation_actions blocks are documented below.
+* `retrieve_intermediate_ca_certificates` - Configure the value "true" to use the "Certificate Authority Information Access" extension to retrieve certificates that are missing from the certificate chain.
The default value is true.
+* `blocked_certificates` - Collection of certificates objects identified by serial number.
Drop traffic from servers using the blocked certificate.blocked_certificates blocks are documented below.
+* `blocked_certificate_tracking` - Controls whether to log and send a notification for dropped traffic.
- None - Does not record the event.
- Log - Records the event details in SmartView.
- Alert - Logs the event and executes a command.
- Mail - Sends an email to the administrator.
- SNMP Trap - Sends an SNMP alert to the SNMP GU.
- User Defined Alert - Sends customized alerts.
.
+* `bypass_update_services` - Configure the value "true" to bypass traffic to well-known software update services.
The default value is true.
+* `certificate_pinned_apps_action` - Configure the value "bypass" to bypass traffic from certificate-pinned applications approved by Check Point.
HTTPS Inspection cannot inspect connections initiated by certificate-pinned applications.
Configure the value "detect" to send logs for traffic from certificate-pinned applications approved by Check Point.
The default value is bypass.
+* `log_sessions` - The value "true" configures the Security Gateway to send HTTPS Inspection session logs.
The default value is true.
+* `domains_to_process` - Indicates which domains to process the commands on. It cannot be used with the details-level full, must be run from the System Domain only and with ignore-warnings true. Valid values are: CURRENT_DOMAIN, ALL_DOMAINS_ON_THIS_SERVER.domains_to_process blocks are documented below.
+* `ignore_warnings` - Apply changes ignoring warnings.
+* `ignore_errors` - Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.
+
+
+`bypass_under_load` supports the following:
+
+* `track` - Whether to log and send a notification for the bypass under load:- None - Does not record the event.
- Log - Records the event details. Use SmartConsole or SmartView to see the logs.
- Alert - Logs the event and executes a command you configured.
- Mail - Sends an email to the administrator.
- SNMP Trap - Sends an SNMP alert to the configured SNMP Management Server.
- User Defined Alert - Sends a custom alert.
.
+
+
+`server_certificate_validation_actions` supports the following:
+
+* `block_expired` - Set to be true in order to drop traffic from servers with expired server certificate.
+* `block_revoked` - Set to be true in order to drop traffic from servers with revoked server certificate (validate CRL).
+* `block_untrusted` - Set to be true in order to drop traffic from servers with untrusted server certificate.
+* `track_errors` - Whether to log and send a notification for the server validation errors:
- None - Does not record the event.
- Log - Records the event details in SmartView.
- Alert - Logs the event and executes a command.
- Mail - Sends an email to the administrator.
- SNMP Trap - Sends an SNMP alert to the SNMP GU.
- User Defined Alert - Sends customized alerts.
.
+
+
+`blocked_certificates` supports the following:
+
+* `name` - Describes the name, cannot be overridden.
+* `cert_serial_number` - Certificate Serial Number (unique) in hexadecimal format HH:HH.
+* `comments` - Describes the certificate by default, can be overridden by any text.
+
+
+## How To Use
+Make sure this command will be executed in the right execution order.
+note: terraform execution is not sequential.
+
diff --git a/website/docs/d/checkpoint_management_outbound_inspection_certificate.html.markdown b/website/docs/d/checkpoint_management_outbound_inspection_certificate.html.markdown
new file mode 100644
index 00000000..2d1d52a5
--- /dev/null
+++ b/website/docs/d/checkpoint_management_outbound_inspection_certificate.html.markdown
@@ -0,0 +1,44 @@
+---
+layout: "checkpoint"
+page_title: "checkpoint_management_outbound_inspection_certificate"
+sidebar_current: "docs-checkpoint-data-source-checkpoint-management-outbound-inspection-certificate"
+description: |-
+Use this data source to get information on an existing Check Point Outbound Inspection Certificate.
+---
+
+# Data Source: checkpoint_management_outbound_inspection_certificate
+
+Use this data source to get information on an existing Check Point Outbound Inspection Certificate.
+
+## Example Usage
+
+
+```hcl
+resource "checkpoint_management_outbound_inspection_certificate" "example" {
+ name = "cert2"
+ issued_by = "www.checkpoint.com"
+ base64_password = "bXlfcGFzc3dvcmQ="
+ valid_from = "2021-04-17"
+ valid_to = "2028-04-17"
+}
+data "checkpoint_management_outbound_inspection_certificate" "data" {
+ uid = "${checkpoint_management_outbound_inspection_certificate.example.id}"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `name` - (Optional) Object name.
+* `uid` - (Optional) Object unique identifier.
+* `issued_by` - The DN (Distinguished Name) of the certificate.
+* `base64_certificate` - Certificate file encoded in base64.
+* `base64_public_certificate` - Public Certificate file encoded in base64 (pem format).
+* `valid_from` - The date, from which the certificate is valid. Format: YYYY-MM-DD.
+* `valid_to` - The certificate expiration date. Format: YYYY-MM-DD.
+* `is_default` - Is the certificate the default certificate.
+* `tags` - Collection of tag identifiers.tags blocks are documented below.
+* `color` - Color of the object. Should be one of existing colors.
+* `comments` - Comments string.
+
diff --git a/website/docs/r/checkpoint_management_add_custom_trusted_ca_certificate.html.markdown b/website/docs/r/checkpoint_management_add_custom_trusted_ca_certificate.html.markdown
new file mode 100644
index 00000000..ba188e8a
--- /dev/null
+++ b/website/docs/r/checkpoint_management_add_custom_trusted_ca_certificate.html.markdown
@@ -0,0 +1,47 @@
+---
+layout: "checkpoint"
+page_title: "checkpoint_management_add_custom_trusted_ca_certificate"
+sidebar_current: "docs-checkpoint-resource-checkpoint-management-add-custom-trusted-ca-certificate"
+description: |-
+This resource allows you to execute Check Point Add Custom Trusted Ca Certificate.
+---
+
+# checkpoint_management_add_custom_trusted_ca_certificate
+
+This resource allows you to execute Check Point Add Custom Trusted Ca Certificate.
+
+## Example Usage
+
+
+```hcl
+resource "checkpoint_management_add_custom_trusted_ca_certificate" "example" {
+ base64_certificate = "MIIEkzCCAnugAwIBAgIVAO5SRZQELwNNhWF+8st6ox9uXYgeMA0GCSqGSIb3DQEBCwUAMIGrMQswCQYDVQQGEwJJTDEPMA0GA1UECBMGSXNyYWVsMS4wLAYDVQQKEyVDaGVja1BvaW50IFNvZnR3YXJlIFRlY2hub2xvZ2llcyBMVEQuMQwwCgYDVQQLEwNNSVMxIjAgBgNVBAMTGUNoZWNrUG9pbnQtU1NMLUluc3BlY3Rpb24xKTAnBgkqhkiG9w0BCQEWGmlsX3NlY3VyaXR5QGNoZWNrcG9pbnQuY29tMB4XDTIzMDMxMzAwMDAwMFoXDTIzMDYxMTIzNTk1OVowbzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEzARBgNVBAcTCk1lbmxvIFBhcmsxHTAbBgNVBAoTFE1ldGEgUGxhdGZvcm1zLCBJbmMuMRcwFQYDVQQDDA4qLndoYXRzYXBwLm5ldDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPjo05vRHAJYYWx55SOu2b1ZIQPOOtJNipSBXf1BFBDQhrkp20YTA296MzKii2j3TgVi/1t44cW5mD1RWobfAQujgbMwgbAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHQGA1UdEQRtMGuCDioud2hhdHNhcHAubmV0ghIqLmNkbi53aGF0c2FwcC5uZXSCEiouc25yLndoYXRzYXBwLm5ldIIOKi53aGF0c2FwcC5jb22CBXdhLm1lggx3aGF0c2FwcC5jb22CDHdoYXRzYXBwLm5ldDAOBgNVHQ8BAf8EBAMCBaAwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAA/sIadLr9ahEVq8h9HuofHODUuzxVFulAZu8uSiyY4ACbaHcvm36MYQCzYV56t4fe+I++ls8KAESZgdE0KoD5/6efzK05Ufok+y15QexAR5AxZlJqtoHIuc7iOolPbkLW77GKrbgfEgmwOCX9/86Pug4ZSrrBUPPt9i3accNkAP+SH9Lft1geS2E/q+xcRhbhDcYTYD56X0MiEv0UaAzwS3adWAZbD7R42u+xNCpX8iUyiwp2UvMf0l/+Q8CAtw4D5s/8hD7Vqvrv4H/ZfV7SrZ+rPrihi01t6LlcpZ2YMucX/tSgDzkjYWmT26V2OgRklM0aQWvHD3DVpghIJfI2swAAJJ5wvqwcJeAWHAQb3aQZgHXjGF/LyBYCQsohTHUL7rhL8CxNlDTNhN2e+NRFGYGer157RCmM8xKroe3/X9pYifbzyEWInqQ+ycmLsQyAd7pPW+W1K1tlk9Niqk3dNQ10daYGau3IPWF5+iHtOlWjLcQrSj60Uv7Ebi0E+bOe0tDabunCj6SEauGFxeJhM9xUZnOwb5wqIt+uGqPQ9WRJLehqwdFhiWOqwUfNcksn7l0M6e9Mnkh1J2kGxamQ0bvK7ftpm5O8MTAft0y882IfC++Zuk4gLhQoeE3s6877/rrHRJB/H8ZUaaBxAi2qH0NZ+ParXUxOkil5rVgFqI="
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `base64_certificate` - (Required) Certificate file encoded in base64.
Valid file formats: x509.
+* `name` - Object name.
+* `uid` - Object unique identifier.
+* `added_by` - By whom the certificate was added.
+* `issued_by` - Trusted CA certificate issued by.
+* `issued_to` - Trusted CA certificate issued to.
+* `tags` - Collection of tag identifiers.
+* `valid_from` - Trusted CA certificate valid from date.
+* `valid_to` - Trusted CA certificate valid to date.
+
+`valid_from` supports the following:
+* `iso_8601` - Date and time represented in international ISO 8601 format.
+* `posix` - Number of milliseconds that have elapsed since 00:00:00, 1 January 1970
+
+`valid_to` supports the following:
+* `iso_8601` - Date and time represented in international ISO 8601 format.
+* `posix` - Number of milliseconds that have elapsed since 00:00:00, 1 January 1970
+
+## How To Use
+Make sure this command will be executed in the right execution order.
+note: terraform execution is not sequential.
+
diff --git a/website/docs/r/checkpoint_management_delete_custom_trusted_ca_certificate.html.markdown b/website/docs/r/checkpoint_management_delete_custom_trusted_ca_certificate.html.markdown
new file mode 100644
index 00000000..f2c87322
--- /dev/null
+++ b/website/docs/r/checkpoint_management_delete_custom_trusted_ca_certificate.html.markdown
@@ -0,0 +1,35 @@
+---
+layout: "checkpoint"
+page_title: "checkpoint_management_delete_custom_trusted_ca_certificate"
+sidebar_current: "docs-checkpoint-resource-checkpoint-management-delete-custom-trusted-ca-certificate"
+description: |-
+This resource allows you to execute Check Point Delete Custom Trusted Ca Certificate.
+---
+
+# checkpoint_management_delete_custom_trusted_ca_certificate
+
+This resource allows you to execute Check Point Delete Custom Trusted Ca Certificate.
+
+## Example Usage
+
+
+```hcl
+resource "checkpoint_management_delete_custom_trusted_ca_certificate" "del" {
+ name = "custom-trusted-ca-cert-object"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `uid` - (Optional) Object name.
+* `name` - (Optional) Object name.
+* `ignore_warnings` - (Optional) Apply changes ignoring warnings.
+* `ignore_errors` - (Optional) Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.
+
+
+## How To Use
+Make sure this command will be executed in the right execution order.
+note: terraform execution is not sequential.
+
diff --git a/website/docs/r/checkpoint_management_outbound_inspection_certificate.html.markdown b/website/docs/r/checkpoint_management_outbound_inspection_certificate.html.markdown
new file mode 100644
index 00000000..439d2764
--- /dev/null
+++ b/website/docs/r/checkpoint_management_outbound_inspection_certificate.html.markdown
@@ -0,0 +1,43 @@
+---
+layout: "checkpoint"
+page_title: "checkpoint_management_outbound_inspection_certificate"
+sidebar_current: "docs-checkpoint-resource-checkpoint-management-outbound-inspection-certificate"
+description: |-
+This resource allows you to execute Check Point Outbound Inspection Certificate.
+---
+
+# checkpoint_management_outbound_inspection_certificate
+
+This resource allows you to execute Check Point Outbound Inspection Certificate.
+
+## Example Usage
+
+
+```hcl
+resource "checkpoint_management_outbound_inspection_certificate" "example" {
+ name = "cert2"
+ issued_by = "www.checkpoint.com"
+ base64_password = "bXlfcGFzc3dvcmQ="
+ valid_from = "2021-04-17"
+ valid_to = "2028-04-17"
+
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `issued_by` - (Required) The DN (Distinguished Name) of the certificate.
+* `base64_password` - (Required) Password (encoded in Base64 with padding) for the certificate file.
+* `valid_from` - (Required) The date, from which the certificate is valid. Format: YYYY-MM-DD.
+* `valid_to` - (Required) The certificate expiration date. Format: YYYY-MM-DD.
+* `name` - (Optional) Object name.
+* `is_default` - (Optional) Is the certificate the default certificate.
+* `tags` - (Optional) Collection of tag identifiers.tags blocks are documented below.
+* `color` - (Optional) Color of the object. Should be one of existing colors.
+* `comments` - (Optional) Comments string.
+* `ignore_warnings` - (Optional) Apply changes ignoring warnings.
+* `ignore_errors` - (Optional) Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.
+* `base64_certificate` - Certificate file encoded in base64.
+* `base64_public_certificate` - Public Certificate file encoded in base64 (pem format).
\ No newline at end of file
diff --git a/website/docs/r/checkpoint_management_run_trusted_ca_update.html.markdown b/website/docs/r/checkpoint_management_run_trusted_ca_update.html.markdown
new file mode 100644
index 00000000..8494fc54
--- /dev/null
+++ b/website/docs/r/checkpoint_management_run_trusted_ca_update.html.markdown
@@ -0,0 +1,30 @@
+---
+layout: "checkpoint"
+page_title: "checkpoint_management_run_trusted_ca_update"
+sidebar_current: "docs-checkpoint-resource-checkpoint-management-run-trusted-ca-update"
+description: |-
+This resource allows you to execute Check Point Run Trusted Ca Update.
+---
+
+# checkpoint_management_run_trusted_ca_update
+
+This resource allows you to execute Check Point Run Trusted Ca Update.
+
+## Example Usage
+```hcl
+resource "checkpoint_management_run_trusted_ca_update" "test" {
+
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `package_path` - (Optional) Path on the management server for offline Trusted CAs package update.
+* `task_id` - (Computed) Asynchronous task unique identifier.
+
+## How To Use
+Make sure this command will be executed in the right execution order.
+note: terraform execution is not sequential.
+
diff --git a/website/docs/r/checkpoint_management_set_gateway_global_use.html.markdown b/website/docs/r/checkpoint_management_set_gateway_global_use.html.markdown
new file mode 100644
index 00000000..e83d0ec1
--- /dev/null
+++ b/website/docs/r/checkpoint_management_set_gateway_global_use.html.markdown
@@ -0,0 +1,34 @@
+---
+layout: "checkpoint"
+page_title: "checkpoint_management_set_gateway_global_use"
+sidebar_current: "docs-checkpoint-resource-checkpoint-management-set-gateway-global-use"
+description: |-
+This resource allows you to execute Check Point Set Gateway Global Use.
+---
+
+# checkpoint_management_set_gateway_global_use
+
+This resource allows you to execute Check Point Set Gateway Global Use.
+
+## Example Usage
+
+
+```hcl
+resource "checkpoint_management_set_gateway_global_use" "example" {
+ target = "vpn_gw"
+ enabled = true
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `enabled` - (Required) Indicates whether global use is enabled on the target.
+* `target` - (Required) On what target to execute this command. Target may be identified by its object name, or object unique identifier.
+
+
+## How To Use
+Make sure this command will be executed in the right execution order.
+note: terraform execution is not sequential.
+
diff --git a/website/docs/r/checkpoint_management_set_https_advanced_settings.html.markdown b/website/docs/r/checkpoint_management_set_https_advanced_settings.html.markdown
new file mode 100644
index 00000000..25680346
--- /dev/null
+++ b/website/docs/r/checkpoint_management_set_https_advanced_settings.html.markdown
@@ -0,0 +1,88 @@
+---
+layout: "checkpoint"
+page_title: "checkpoint_management_set_https_advanced_settings"
+sidebar_current: "docs-checkpoint-resource-checkpoint-management-set-https-advanced-settings"
+description: |-
+This resource allows you to execute Check Point Set Https Advanced Settings.
+---
+
+# checkpoint_management_set_https_advanced_settings
+
+This resource allows you to execute Check Point Set Https Advanced Settings.
+
+## Example Usage
+
+
+```hcl
+resource "checkpoint_management_set_https_advanced_settings" "example" {
+ bypass_on_failure = false
+ bypass_on_client_failure = false
+ site_categorization_allow_mode = "background"
+ blocked_certificate_tracking = "popup alert"
+ bypass_update_services = true
+ certificate_pinned_apps_action = "bypass"
+ log_sessions = true
+ retrieve_intermediate_ca_certificates = true
+ server_certificate_validation_actions = {
+ block_expired = true
+ block_revoked = false
+ block_untrusted = true
+ track_errors = "log"
+ }
+ blocked_certificates {
+ name = "BlackListed_A71D5266-7EF0-42CF-AE9C-409CD4093879"
+ cert_serial_number = "3e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71"
+ comments = "login.yahoo.com"
+ }
+ blocked_certificates {
+ name = "BlackListed_A2B37A3D-53F9-4A24-AD09-D96272CA1710"
+ cert_serial_number = "00:d7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3"
+ comments = "*.EGO.GOV.TR"
+ }
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `bypass_on_client_failure` - (Optional) Whether all requests should be bypassed or blocked-in case of client errors (Client closes the connection due to authentication issues during handshake)
- true - Fail-open (bypass all requests).
- false - Fail-close (block all requests.
The default value is true.
+* `bypass_on_failure` - (Optional) Whether all requests should be bypassed or blocked-in case of server errors (for example validation error during GW-Server authentication)
- true - Fail-open (bypass all requests).
- false - Fail-close (block all requests.
The default value is true.
+* `bypass_under_load` - (Optional) Bypass the HTTPS Inspection temporarily to improve connectivity during a heavy load on the Security Gateway. The HTTPS Inspection would resume as soon as the load decreases.bypass_under_load blocks are documented below.
+* `site_categorization_allow_mode` - (Optional) Whether all requests should be allowed or blocked until categorization is complete.
- Background - to allow requests until categorization is complete.
- Hold- to block requests until categorization is complete.
The default value is hold.
+* `server_certificate_validation_actions` - (Optional) When a Security Gateway receives an untrusted certificate from a website server, define when to drop the connection and how to track it.server_certificate_validation_actions blocks are documented below.
+* `retrieve_intermediate_ca_certificates` - (Optional) Configure the value "true" to use the "Certificate Authority Information Access" extension to retrieve certificates that are missing from the certificate chain.
The default value is true.
+* `blocked_certificates` - (Optional) Collection of certificates objects identified by serial number.
Drop traffic from servers using the blocked certificate.blocked_certificates blocks are documented below.
+* `blocked_certificate_tracking` - (Optional) Controls whether to log and send a notification for dropped traffic.
- None - Does not record the event.
- Log - Records the event details in SmartView.
- Alert - Logs the event and executes a command.
- Mail - Sends an email to the administrator.
- SNMP Trap - Sends an SNMP alert to the SNMP GU.
- User Defined Alert - Sends customized alerts.
.
+* `bypass_update_services` - (Optional) Configure the value "true" to bypass traffic to well-known software update services.
The default value is true.
+* `certificate_pinned_apps_action` - (Optional) Configure the value "bypass" to bypass traffic from certificate-pinned applications approved by Check Point.
HTTPS Inspection cannot inspect connections initiated by certificate-pinned applications.
Configure the value "detect" to send logs for traffic from certificate-pinned applications approved by Check Point.
The default value is bypass.
+* `log_sessions` - (Optional) The value "true" configures the Security Gateway to send HTTPS Inspection session logs.
The default value is true.
+* `domains_to_process` - (Optional) Indicates which domains to process the commands on. It cannot be used with the details-level full, must be run from the System Domain only and with ignore-warnings true. Valid values are: CURRENT_DOMAIN, ALL_DOMAINS_ON_THIS_SERVER.domains_to_process blocks are documented below.
+* `ignore_warnings` - (Optional) Apply changes ignoring warnings.
+* `ignore_errors` - (Optional) Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.
+
+
+`bypass_under_load` supports the following:
+
+* `track` - (Optional) Whether to log and send a notification for the bypass under load:- None - Does not record the event.
- Log - Records the event details. Use SmartConsole or SmartView to see the logs.
- Alert - Logs the event and executes a command you configured.
- Mail - Sends an email to the administrator.
- SNMP Trap - Sends an SNMP alert to the configured SNMP Management Server.
- User Defined Alert - Sends a custom alert.
.
+
+
+`server_certificate_validation_actions` supports the following:
+
+* `block_expired` - (Optional) Set to be true in order to drop traffic from servers with expired server certificate.
+* `block_revoked` - (Optional) Set to be true in order to drop traffic from servers with revoked server certificate (validate CRL).
+* `block_untrusted` - (Optional) Set to be true in order to drop traffic from servers with untrusted server certificate.
+* `track_errors` - (Optional) Whether to log and send a notification for the server validation errors:
- None - Does not record the event.
- Log - Records the event details in SmartView.
- Alert - Logs the event and executes a command.
- Mail - Sends an email to the administrator.
- SNMP Trap - Sends an SNMP alert to the SNMP GU.
- User Defined Alert - Sends customized alerts.
.
+
+
+`blocked_certificates` supports the following:
+
+* `name` - (Optional) Describes the name, cannot be overridden.
+* `cert_serial_number` - (Optional) Certificate Serial Number (unique) in hexadecimal format HH:HH.
+* `comments` - (Optional) Describes the certificate by default, can be overridden by any text.
+
+
+## How To Use
+Make sure this command will be executed in the right execution order.
+note: terraform execution is not sequential.
+
diff --git a/website/docs/r/checkpoint_management_vsx_provisioning_tool.html.markdown b/website/docs/r/checkpoint_management_vsx_provisioning_tool.html.markdown
new file mode 100644
index 00000000..aa981d86
--- /dev/null
+++ b/website/docs/r/checkpoint_management_vsx_provisioning_tool.html.markdown
@@ -0,0 +1,276 @@
+---
+layout: "checkpoint"
+page_title: "checkpoint_management_vsx_provisioning_tool"
+sidebar_current: "docs-checkpoint-resource-checkpoint-management-vsx-provisioning-tool"
+description: |-
+This resource allows you to execute Check Point Vsx Provisioning Tool.
+---
+
+# checkpoint_management_vsx_provisioning_tool
+
+This resource allows you to execute Check Point Vsx Provisioning Tool.
+
+## Example Usage
+
+
+```hcl
+resource "checkpoint_management_vsx_provisioning_tool" "example" {
+ operation = "add-vsx-cluster"
+ add_vsx_cluster_params {
+
+ vsx_name = "VSX_CLUSTER"
+ cluster_type = "vsls"
+ ipv4_address = "192.168.0.0"
+ version = "R82"
+ sync_if_name = "eth3"
+ sync_netmask = "255.255.255.0"
+ rule_ping = "enable"
+ rule_drop = "enable"
+ members {
+ name = "mem1"
+ ipv4_address = "4.4.4.4"
+ sync_ip = "192.168.1.1"
+ sic_otp = "sicotp123"
+ }
+ members {
+ name = "mem2"
+ ipv4_address = "8.4.4.4"
+ sync_ip = "192.168.2.2"
+ sic_otp = "sicotp456"
+ }
+ }
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `operation` - (Required) The name of the provisioning operation to run. Each operation has its own specific parameters.
The available operations are:- add-vsx-gateway - Adds a new VSX gateway
- add-vsx-cluster - Adds a new VSX cluster*
- add-vsx-cluster-member - Adds a new VSX cluster member*
- add-vd - Adds a new Virtual Device (VS/VSB/VSW/VR) to a VSX gateway or VSX cluster
- add-vd-interface - Adds a new virtual interface to a Virtual Device
- add-physical-interface - Adds a physical interface to a VSX gateway or VSX cluster
- add-route - Adds a route to a Virtual Device
- attach-bridge - Attaches a bridge interface to a Virtual System
- remove-vsx - Removes a VSX gateway or VSX cluster
- remove-vd - Removes a Virtual Device
- remove-vd-interface - Removes an interface from a Virtual Device
- remove-physical-interface - Removes a physical interface from a VSX gateway or VSX cluster
- remove-route - Removes a route from a Virtual Device
- set-vd - Modifies a Virtual Device
- set-vd-interface - Modifies an interface on a Virtual Device
- set-physical-interface - Modifies a physical interface on a VSX cluster or VSX gateway
* When adding a VSX Cluster, you must also add at least 2 cluster members
* Adding cluster members is only allowed when adding a new VSX cluster
* To add members to an existing cluster, use vsx-run-operation.
+* `add_physical_interface_params` - (Optional) Parameters for the operation to add a physical interface to a VSX gateway or VSX Cluster.add_physical_interface_params blocks are documented below.
+* `add_route_params` - (Optional) Parameters for the operation to add a route to a Virtual System or Virtual Router.add_route_params blocks are documented below.
+* `add_vd_interface_params` - (Optional) Parameters for the operation to add a new interface to a Virtual Device.add_vd_interface_params blocks are documented below.
+* `add_vd_params` - (Optional) Parameters for the operation to add a new Virtual Device (VS/VSB/VSW/VR).add_vd_params blocks are documented below.
+* `add_vsx_cluster_params` - (Optional) Parameters for the operation to add a new VSX Cluster.add_vsx_cluster_params blocks are documented below.
+* `add_vsx_gateway_params` - (Optional) Parameters for the operation to add a new VSX Gateway.add_vsx_gateway_params blocks are documented below.
+* `attach_bridge_params` - (Optional) Parameters for the operation to attach a new bridge interface to a Virtual System.attach_bridge_params blocks are documented below.
+* `remove_physical_interface_params` - (Optional) Parameters for the operation to remove a physical interface from a VSX (Gateway or Cluster).remove_physical_interface_params blocks are documented below.
+* `remove_route_params` - (Optional) Parameters for the operation to remove a route from a Virtual System or Virtual Router.remove_route_params blocks are documented below.
+* `remove_vd_interface_params` - (Optional) Parameters for the operation to remove a logical interface from a Virtual Device.remove_vd_interface_params blocks are documented below.
+* `remove_vd_params` - (Optional) Parameters for the operation to remove a Virtual Device.remove_vd_params blocks are documented below.
+* `remove_vsx_params` - (Optional) Parameters for the operation to remove a VSX Gateway or VSX Cluster.remove_vsx_params blocks are documented below.
+* `set_physical_interface_params` - (Optional) Parameters for the operation to change the configuration of a physical interface.set_physical_interface_params blocks are documented below.
+* `set_vd_interface_params` - (Optional) Parameters for the operation to change the configuration of a logical interface.set_vd_interface_params blocks are documented below.
+* `set_vd_params` - (Optional) Parameters for the operation to change the configuration of a Virtual Device.set_vd_params blocks are documented below.
+
+
+`add_physical_interface_params` supports the following:
+
+* `name` - (Required) Name of the interface.
+* `vsx_name` - (Required) Name of the VSX Gateway or Cluster object.
+* `vlan_trunk` - (Optional) True if this interface is a VLAN trunk.
+
+
+`add_route_params` supports the following:
+
+* `destination` - (Required) Route destination. To specify the default route, use 'default' for IPv4 and 'default6' for IPv6.
+* `next_hop` - (Optional) Next hop IP address.
+* `leads_to` - (Optional) Virtual Router for this route
This VD must have an existing connection to the VR.
+* `vd` - (Required) Name of the Virtual System, Virtual Switch, or Virtual Router.
+* `netmask` - (Optional) Subnet mask for this route.
+* `prefix` - (Optional) CIDR prefix for this route.
+* `propagate` - (Optional) Propagate this route to adjacent virtual devices.
+
+
+`add_vd_interface_params` supports the following:
+
+* `leads_to` - (Optional) Virtual Switch or Virtual Router for this interface.
+* `name` - (Optional) Name of the interface.
+* `vd` - (Required) Name of the Virtual System, Virtual Switch, or Virtual Router.
+* `anti_spoofing` - (Optional) The anti-spoofing enforcement setting of this interface.
+* `anti_spoofing_tracking` - (Optional) The anti-spoofing tracking setting of this interface.
+* `ipv4_address` - (Optional) IPv4 Address of this interface with optional CIDR prefix.
Required if this interface belongs to a Virtual System or Virtual Router.
+* `ipv4_netmask` - (Optional) IPv4 Subnet mask of this interface.
+* `ipv4_prefix` - (Optional) IPv4 CIDR prefix of this interface.
+* `ipv6_address` - (Optional) IPv6 Address of this interface
Required if this interface belongs to a Virtual System or Virtual Router.
+* `ipv6_netmask` - (Optional) IPv6 Subnet mask of this interface.
+* `ipv6_prefix` - (Optional) IPv6 CIDR prefix of this interface.
+* `mtu` - (Optional) MTU of this interface.
+* `propagate` - (Optional) Propagate IPv4 route to adjacent virtual devices.
+* `propagate6` - (Optional) Propagate IPv6 route to adjacent virtual devices.
+* `specific_group` - (Optional) Specific group for interface topology.
Only for use with topology option 'internal_specific'.
+* `topology` - (Optional) Topology of this interface.
Automatic topology calculation based on routes must be disabled for this VS.
+* `vti_settings` - (Optional) VTI settings for this interface. This Virtual System must have VPN blade enabled.vti_settings blocks are documented below.
+
+
+`add_vd_params` supports the following:
+
+* `interfaces` - (Required) The list of interfaces for this new Virtual Device.
Optional if this new VD is a Virtual Switch.interfaces blocks are documented below.
+* `type` - (Required) Type of the Virtual Device
vs - Virtual Firewall
vr - Virtual Router
vsw - Virtual Switch
vsbm - Virtual Firewall in bridge mode.
+* `vd` - (Required) Name of the Virtual System, Virtual Switch, or Virtual Router.
+* `vsx_name` - (Required) Name of the VSX Gateway or Cluster object.
+* `calc_topology_auto` - (Optional) Calculate interface topology automatically based on routes.
Relevant only for Virtual Systems.
Do not use for virtual devices.
+* `ipv4_address` - (Optional) Main IPv4 Address.
Required if this device is a Virtual System.
Do not use for other virtual devices.
+* `ipv4_instances` - (Optional) Number of IPv4 instances for the Virtual System.
Must be greater or equal to 1.
Only relevant for Virtual Systems and Virtual Systems in bridge mode.
+* `ipv6_address` - (Optional) Main IPv6 Address.
Required if this device is a Virtual System.
Do not use for other virtual devices.
+* `ipv6_instances` - (Optional) Number of IPv6 instances for the Virtual System.
Only relevant for Virtual Systems and Virtual Systems in bridge mode.
+* `routes` - (Optional) The list of routes for this new Virtual Device (VS or VR only).routes blocks are documented below.
+* `vs_mtu` - (Optional) MTU of the Virtual System.
Only relevant for Virtual Systems in bridge mode.
Do not use for other virtual devices.
+
+
+`add_vsx_cluster_params` supports the following:
+
+* `cluster_type` - (Required) Cluster type for the VSX Cluster Object.
Starting in R81.10, only VSLS can be configured during cluster creation.
To use High Availability ('ha'), first create the cluster as VSLS and then run vsx_util on the Management.
+* `ipv4_address` - (Optional) Main IPv4 Address of the VSX Gateway or Cluster object.
Optional if main IPv6 Address is defined.
+* `ipv6_address` - (Optional) Main IPv6 Address of the VSX Gateway or Cluster object.
Optional if main IPv4 Address is defined.
+* `members` - (Required) The list of cluster members for this new VSX Cluster. Minimum: 2.members blocks are documented below.
+* `sync_if_name` - (Required) Sync interface name for the VSX Cluster.
+* `sync_netmask` - (Required) Sync interface netmask for the VSX Cluster.
+* `version` - (Required) Version of the VSX Gateway or Cluster object.
+* `vsx_name` - (Required) Name of the VSX Gateway or Cluster object.
+* `rule_drop` - (Optional) Add a default drop rule to the VSX Gateway or Cluster initial policy.
+* `rule_https` - (Optional) Add a rule to allow HTTPS traffic to the VSX Gateway or Cluster initial policy.
+* `rule_ping` - (Optional) Add a rule to allow ping traffic to the VSX Gateway or Cluster initial policy.
+* `rule_ping6` - (Optional) Add a rule to allow ping6 traffic to the VSX Gateway or Cluster initial policy.
+* `rule_snmp` - (Optional) Add a rule to allow SNMP traffic to the VSX Gateway or Cluster initial policy.
+* `rule_ssh` - (Optional) Add a rule to allow SSH traffic to the VSX Gateway or Cluster initial policy.
+
+
+`add_vsx_gateway_params` supports the following:
+
+* `ipv4_address` - (Optional) Main IPv4 Address of the VSX Gateway or Cluster object.
Optional if main IPv6 Address is defined.
+* `ipv6_address` - (Optional) Main IPv6 Address of the VSX Gateway or Cluster object.
Optional if main IPv4 Address is defined.
+* `sic_otp` - (Required) SIC one-time-password of the VSX Gateway or Cluster member.
Password must be between 4-127 characters in length.
+* `version` - (Required) Version of the VSX Gateway or Cluster object.
+* `vsx_name` - (Required) Name of the VSX Gateway or Cluster object.
+* `rule_drop` - (Optional) Add a default drop rule to the VSX Gateway or Cluster initial policy.
+* `rule_https` - (Optional) Add a rule to allow HTTPS traffic to the VSX Gateway or Cluster initial policy.
+* `rule_ping` - (Optional) Add a rule to allow ping traffic to the VSX Gateway or Cluster initial policy.
+* `rule_ping6` - (Optional) Add a rule to allow ping6 traffic to the VSX Gateway or Cluster initial policy.
+* `rule_snmp` - (Optional) Add a rule to allow SNMP traffic to the VSX Gateway or Cluster initial policy.
+* `rule_ssh` - (Optional) Add a rule to allow SSH traffic to the VSX Gateway or Cluster initial policy.
+
+
+`attach_bridge_params` supports the following:
+
+* `ifs1` - (Required) Name of the first interface for the bridge.
+* `ifs2` - (Required) Name of the second interface for the bridge.
+* `vd` - (Required) Name of the Virtual System, Virtual Switch, or Virtual Router.
+
+
+`remove_physical_interface_params` supports the following:
+
+* `name` - (Required) Name of the interface.
+* `vsx_name` - (Required) Name of the VSX Gateway or Cluster object.
+
+
+`remove_route_params` supports the following:
+
+* `destination` - (Required) Route destination. To specify the default route, use 'default' for IPv4 and 'default6' for IPv6.
+* `vd` - (Required) Name of the Virtual System, Virtual Switch, or Virtual Router.
+* `netmask` - (Optional) Subnet mask for this route.
+* `prefix` - (Optional) CIDR prefix for this route.
+
+
+`remove_vd_interface_params` supports the following:
+
+* `leads_to` - (Optional) Virtual Switch or Virtual Router for this interface.
+* `name` - (Optional) Name of the interface.
+* `vd` - (Required) Name of the Virtual System, Virtual Switch, or Virtual Router.
+
+
+`remove_vd_params` supports the following:
+
+* `vd` - (Required) Name of the Virtual System, Virtual Switch, or Virtual Router.
+
+
+`remove_vsx_params` supports the following:
+
+* `vsx_name` - (Required) Name of the VSX Gateway or Cluster object.
+
+
+`set_physical_interface_params` supports the following:
+
+* `name` - (Required) Name of the interface.
+* `vlan_trunk` - (Required) True if this interface is a VLAN trunk.
+* `vsx_name` - (Required) Name of the VSX Gateway or Cluster object.
+
+
+`set_vd_interface_params` supports the following:
+
+* `leads_to` - (Optional) Virtual Switch or Virtual Router for this interface.
+* `name` - (Optional) Name of the interface.
+* `vd` - (Required) Name of the Virtual System, Virtual Switch, or Virtual Router.
+* `anti_spoofing` - (Optional) The anti-spoofing enforcement setting of this interface.
+* `anti_spoofing_tracking` - (Optional) The anti-spoofing tracking setting of this interface.
+* `ipv4_address` - (Optional) IPv4 Address of this interface with optional CIDR prefix.
Required if this interface belongs to a Virtual System or Virtual Router.
+* `ipv6_address` - (Optional) IPv6 Address of this interface
Required if this interface belongs to a Virtual System or Virtual Router.
+* `mtu` - (Optional) MTU of this interface.
+* `new_leads_to` - (Optional) New Virtual Switch or Virtual Router for this interface.
+* `propagate` - (Optional) Propagate IPv4 route to adjacent virtual devices.
+* `propagate6` - (Optional) Propagate IPv6 route to adjacent virtual devices.
+* `specific_group` - (Optional) Specific group for interface topology.
Only for use with topology option 'internal_specific'.
+* `topology` - (Optional) Topology of this interface.
Automatic topology calculation based on routes must be disabled for this VS.
+
+
+`set_vd_params` supports the following:
+
+* `vd` - (Required) Name of the Virtual System, Virtual Switch, or Virtual Router.
+* `calc_topology_auto` - (Optional) Calculate interface topology automatically based on routes.
Relevant only for Virtual Systems.
Do not use for virtual devices.
+* `ipv4_address` - (Optional) Main IPv4 Address.
Relevant only if this device is a Virtual System.
Do not use for other virtual devices.
+* `ipv4_instances` - (Optional) Number of IPv4 instances for the Virtual System.
Must be greater or equal to 1.
Only relevant for Virtual Systems and Virtual Systems in bridge mode.
+* `ipv6_address` - (Optional) Main IPv6 Address.
Relevant only if this device is a Virtual System.
Do not use for other virtual devices.
+* `ipv6_instances` - (Optional) Number of IPv6 instances for the Virtual System.
Only relevant for Virtual Systems and Virtual Systems in bridge mode.
+* `vs_mtu` - (Optional) MTU of the Virtual System.
Only relevant for Virtual Systems in bridge mode.
Do not use for other virtual devices.
+
+
+`vti_settings` supports the following:
+
+* `local_ipv4_address` - (Optional) The IPv4 address of the VPN tunnel on this Virtual System.
+* `peer_name` - (Optional) The name of the remote peer object as defined in the VPN community.
+* `remote_ipv4_address` - (Optional) The IPv4 address of the VPN tunnel on the remote VPN peer.
+* `tunnel_id` - (Optional) Optional unique Tunnel ID.
Automatically assigned by the system if empty.
+
+
+`interfaces` supports the following:
+
+* `leads_to` - (Optional) Virtual Switch or Virtual Router for this interface.
+* `name` - (Optional) Name of the interface.
+* `anti_spoofing` - (Optional) The anti-spoofing enforcement setting of this interface.
+* `anti_spoofing_tracking` - (Optional) The anti-spoofing tracking setting of this interface.
+* `ipv4_address` - (Optional) IPv4 Address of this interface with optional CIDR prefix.
Required if this interface belongs to a Virtual System or Virtual Router.
+* `ipv4_netmask` - (Optional) IPv4 Subnet mask of this interface.
+* `ipv4_prefix` - (Optional) IPv4 CIDR prefix of this interface.
+* `ipv6_address` - (Optional) IPv6 Address of this interface
Required if this interface belongs to a Virtual System or Virtual Router.
+* `ipv6_netmask` - (Optional) IPv6 Subnet mask of this interface.
+* `ipv6_prefix` - (Optional) IPv6 CIDR prefix of this interface.
+* `mtu` - (Optional) MTU of this interface.
+* `propagate` - (Optional) Propagate IPv4 route to adjacent virtual devices.
+* `propagate6` - (Optional) Propagate IPv6 route to adjacent virtual devices.
+* `specific_group` - (Optional) Specific group for interface topology.
Only for use with topology option 'internal_specific'.
+* `topology` - (Optional) Topology of this interface.
Automatic topology calculation based on routes must be disabled for this VS.
+
+
+`routes` supports the following:
+
+* `destination` - (Optional) Route destination. To specify the default route, use 'default' for IPv4 and 'default6' for IPv6.
+* `next_hop` - (Optional) Next hop IP address.
+* `leads_to` - (Optional) Virtual Router for this route
This VD must have an existing connection to the VR.
+* `netmask` - (Optional) Subnet mask for this route.
+* `prefix` - (Optional) CIDR prefix for this route.
+* `propagate` - (Optional) Propagate this route to adjacent virtual devices.
+
+
+`members` supports the following:
+
+* `ipv4_address` - (Optional) Main IPv4 Address of the VSX Cluster member.
Mandatory if the VSX Cluster has an IPv4 Address.
+* `ipv6_address` - (Optional) Main IPv6 Address of the VSX Cluster member.
Mandatory if the VSX Cluster has an IPv6 Address.
+* `name` - (Required) Name of the new VSX Cluster member.
+* `sic_otp` - (Required) SIC one-time-password of the VSX Gateway or Cluster member.
Password must be between 4-127 characters in length.
+* `sync_ip` - (Required) Sync IP address for the VSX Cluster member.
+
+
+## How To Use
+Make sure this command will be executed in the right execution order.
+note: terraform execution is not sequential.
+