Git Product home page Git Product logo

terraform-provider-infinity-next's Introduction

Check Point Infinity Next Management Terraform Provider

Infinity Next's Terraform Provider for managing CloudGuard AppSec and other Infinity Next security application using Terraform. You could read the documentation of Infinity Next here.

Requirements

  • Terraform v0.13+
  • inext CLI - used to publish and enforce your changes made by Terraform.

Usage

Generating an API Key (Required)

  1. Go to https://portal.checkpoint.com, navigate to Global Settings -> API Keys

  2. Create a new API key and select Infinity Policy as the service, with Admin role, we recommend that you specify a meaningful comment for the key so you could identify them later and avoid mistakes.

  3. Store the Client ID and Secret Key in a secure location, and note there's no way to view the secret key afterward.

Configuring the Provider

There are 2 options to set the credentials to be used by the provider:

  • Set the credentials in environment variables INEXT_CLIENT_ID and INEXT_ACCESS_KEY

  • Set the credentials explicitly or through input variables, in the .tf file that defines the provider block using the fields client_id and access_key

Note that credentials are per region, which can be configured with the region field of the provider's definition. It defaults to "eu" and currently it accepts either "eu" or "us".

Publish and Enforce your changes (Required)

All changes that are made when running terraform apply are done under a session of the configured API key. At Infinity Next, each session must be published to be able to enforce your configured policies on your assets. Think of it as commiting your changes to be able to make a release.

Due to Terraform's lack of concept of session management/commiting changes at the end of an applied configuration, it's required from the user of this provider to publish and enforce the applied configuration by himself.

This repository includes a CLI utility for this exact use case, which includes 2 commands: publish and enforce.

Using the inext CLI

Download and install the CLI found in the latest release

You could run inext help and get all available options and commands.

The CLI requires the same credentials used to configure the provider, there are 3 options to pass these credentials to the CLI:

  1. Set the environment variables: INEXT_REGION, INEXT_CLIENT_ID and INEXT_ACCESS_KEY and run inext <command>, this is more comfortable for usage right after terraform apply since it uses the same environment variables.

  2. Set credentials using flags --client-id (shorthand -c) and --access-key (shorthand -k)

    inext publish -c $INEXT_CLIENT_ID -k $INEXT_ACCESS_KEY -r us

  3. Create a yaml file at ~/.inext.yaml with the following content:

    client-id: <INEXT_CLIENT_ID>
access-key: <INEXT_ACCESS_KEY>
region: eu

    Run inext <command> and the CLI would be configured using ~/.inext.yaml by default, can be set using inext --config <config-path> <command>

Example

terraform init
terraform apply
inext publish && inext enforce

Then navigate to the Cloud Tab and enable the Tech Preview toggle at the bottom right. You should now see your applied objects, each in its own tab.

Build

Requirements

  • Go 1.18+

To build the provider run:

go build

To build the build the CLI run:

cd cmd
go build -o inext
cp inext /usr/local/bin

terraform-provider-infinity-next's People

Contributors

chkp-omris avatar chkp-nadavt avatar chkp-roniz avatar

Stargazers

Raffi avatar Bryan Smith avatar Omri Attal avatar avatar avatar avatar

Watchers

James Cloos avatar Adam Richter avatar avatar avatar

Forkers

techwithxtreme lbalmont

terraform-provider-infinity-next's Issues

Please add data resources in provider

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

At the moment infinity-next Provider does not have Data resources for Assets and Triggers. In our complex scenario, we would like to use data from CheckPoint as a source of truth since we have automated and manual provisioning for CheckPoint CloudGuard WAF.

New or Affected Resource(s)

  • infinity-next_inext_appsec_gateway_profile
  • infinity-next_inext_kubernetes_profile
  • infinity-next_inext_log_trigger
  • infinity-next_inext_trusted_sources
  • infinity-next_inext_web_api_asset
  • infinity-next_inext_web_app_asset
  • infinity-next_inext_web_user_response

Potential Terraform Configuration

data "infinity-next_inext_appsec_gateway_profile" "appsec_gateway_profile" {
  name = "random-name-forinfinity-next_inext_appsec_gateway_profile"
}

Add API discovery configuration in TF provider

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Please add API discovery configuration in Terraform provider

New or Affected Resource(s)

  • inext_web_api_practice

Potential Terraform Configuration

resource "inext_web_api_practice" "SomeName" {
  name = "SomeName"
  ips {
    performance_impact    = "MediumOrLower"
    severity_level        = "LowOrAbove"  
    protections_from_year = "2010"  
    high_confidence       = "Prevent" 
    medium_confidence     = "Detect" 
    low_confidence        = "Detect"     
  }
  api_attacks {
    minimum_severity = "Medium" 
    advanced_setting {
      body_size            = 0
      header_size          = 0
      illegal_http_methods = false
      max_object_depth     = 0
      url_size             = 0
    }
  }
   **api_discovery = { configuration options here}**
}

References

Add RateLimit practice as resource in TF provider

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Please, add RateLimit practice resource in Terraform provider

New or Affected Resource(s)

  • inext_web_api_practice
  • inext_web_api_asset

Potential Terraform Configuration

resource "inext_web_api_asset" "SomeName" {
  name            = "SomeName"
  practice {
    main_mode = "Learn" 
    sub_practices_modes = {
      APIAttacks       = "AccordingToPractice"
      FileSecurity     = "Disabled"
      IPS              = "AccordingToPractice" 
      SchemaValidation = "Disabled"
      Snort            = "Disabled"            
      WebBot           = "AccordingToPractice"
      **RateLimit = { configuration options here}** 
  }
}

or

resource "inext_web_api_practice" "SomeName" {
  name = "SomeName"
  ips {
    performance_impact    = "MediumOrLower"
    severity_level        = "LowOrAbove"  
    protections_from_year = "2010"  
    high_confidence       = "Prevent" 
    medium_confidence     = "Detect" 
    low_confidence        = "Detect"     
  }
  api_attacks {
    minimum_severity = "Medium" 
    advanced_setting {
      body_size            = 0
      header_size          = 0
      illegal_http_methods = false
      max_object_depth     = 0
      url_size             = 0
    }
  }
   **Rate_Limit = { configuration options here}**
}

Upload certificates in Gateway certificate storage

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Please add an option to upload certificates in Gateway certificate storage within the Terraform provider

New or Affected Resource(s)

  • inext_custom_certificate

Potential Terraform Configuration

resource "inext_custom_certificate" "custom_certificate" {
  name = "custom_certificate"
  value = "-----BEGIN CERTIFICATE REQUEST-----
MIICnDCCAYQCAQAwVzETMBEGA1UEChMKY2hlY2twb2ludDERMA8GA1UECxMIZGF0
...
...
-----END CERTIFICATE REQUEST-----"

References

Add Report trigger as Resource in TF provider

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Please add Report trigger as Resource in Terraform provider

New or Affected Resource(s)

  • report_trigger

Potential Terraform Configuration

resource "inext_report_trigger" "report_trigger" {
  name = "report_trigger"
  ...

References

Remove TF provider dependency on inext CLI

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Please remove TF provider dependency on Inext CLI for finalizing configuration changes. Since we can apply changes within Terraform provider, it makes sense to avoid extra execution steps with Inext CLI. Most of vendors are exclude any 3rd party dependencies and allow management and apply configuration changes using Terraform provider only. In specific use-cases all CLI components located inside terraform provider binary files.

New or Affected Resource(s)

Actually, it is not a resources

  • terraform-provider-infinity-next_v1.0.4.exe
  • inext.exe

Potential Terraform Configuration

I propose to have only terraform-provider-infinity-next_v1.0.4.exe with all functionality for Apply TF configuration, publish, and enforce it to Infinity Portal

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.