CloudGuardIaaS icon indicating copy to clipboard operation
CloudGuardIaaS copied to clipboard

Published 20 hours ago verified publisher icon CheckPointSW

allow provider to be passed by the caller

Open jetersen opened this issue 3 years ago • 3 comments 

The Terraform configuration must be valid before initialization so that
Terraform can determine which modules and providers need to be installed.
│ Error: Module is incompatible with count, for_each, and depends_on
│ 
│   on modules/region-hub/main.tf line 16, in module "checkpoint":
│   16:     module.vpcs
│ 
│ The module at module.region_europe-west2.module.checkpoint.module.checkpointsw-cloudguardiaas
│ is a legacy module which contains its own local provider configurations, and so calls to it may
│ not use the count, for_each, or depends_on arguments.
│ 
│ If you also control the module
│ "git::https://github.com/CheckPointSW/CloudGuardIaaS.git?ref=72d58cf//terraform/gcp/high-availability",
│ consider updating this module to instead expect provider configurations to be passed by its
│ caller.

This is the piece that breaks the modern module support.

https://github.com/CheckPointSW/CloudGuardIaaS/blob/51702a157970a34496104d7cbc7e4d0e44f872e6/terraform/gcp/high-availability/main.tf#L1-L5

Should create a versions.tf instead, something like this: https://github.com/terraform-google-modules/terraform-google-network/blob/a93fd8ba6075dff58abdd3dbcb4487c29abc7168/modules/vpc/versions.tf#L17-L24

jetersen avatar Aug 19 '22 15:08 jetersen

you can argue var.service_account_path is obsolete or should have never been used as you can provide the credentials via GOOGLE_APPLICATION_CREDENTIALS environment variable: https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#authentication

or the fact that you can use gcloud auth application-default login locally

jetersen avatar Aug 19 '22 15:08 jetersen

Not sure why the readmes suggest you forking or copying the modules instead of sourcing it. I was trying to achieve the following:

modules/checkpoint/main.tf

module "checkpointsw-cloudguardiaas" {
  # https://github.com/CheckPointSW/CloudGuardIaaS/commit/72d58cf8ccc204654da1ac37abb89d0b8ffd5999
  source = "github.com/CheckPointSW/CloudGuardIaaS//terraform/gcp/high-availability?ref=72d58cf"

  # Google provider
  project = var.project_id

  # Checkpoint deployment
  prefix = var.prefix
  license = var.license
  image_name = var.image_name

  # Instances configuration
  region = var.region
  zoneA = var.zoneA
  zoneB = var.zoneB
  machine_type = var.machine_type
  disk_type = var.disk_type
  disk_size = var.disk_size
  admin_SSH_key = var.admin_SSH_key
  enable_monitoring = var.enable_monitoring

  # Checkpoint configuration
  management_network = var.management_network
  sic_key = var.sic_key
  generate_password = var.generate_password
  allow_upload_download = var.allow_upload_download
  admin_shell = var.admin_shell

  # VPC configuration
  cluster_network_name = var.vpcs[0].network_name
  cluster_network_subnetwork_name = var.vpcs[0].subnets[0].subnetwork_name
  mgmt_network_name = var.vpcs[1].network_name
  mgmt_network_subnetwork_name = var.vpcs[1].subnets[0].subnetwork_name
  internal_network1_name = var.vpcs[2].network_name
  internal_network1_subnetwork_name = var.vpcs[2].subnets[0].subnetwork_name
  internal_network2_name = var.vpcs[3].network_name
  internal_network2_subnetwork_name = var.vpcs[3].subnets[0].subnetwork_name
}

modules/region-hub-infra/main.tf

module "vpcs" {
  source = "./../vpcs"
  vpcs = var.vpcs
  prefix = local.prefix
}

module "checkpoint" {
  source = "./../checkpoint"
  region = var.region
  zoneA = "${var.region}-a"
  zoneB = "${var.region}-b"
  project_id = var.project_id
  vpcs = module.vpcs.vpcs
  prefix = local.prefix
  depends_on = [
    module.vpcs
  ]
}

jetersen avatar Aug 19 '22 15:08 jetersen

This would be fixed by #183 I excluded it to gcp for now to test it out first. Potentially the pattern should be applied to the other terraform modules.

jetersen avatar Aug 19 '22 18:08 jetersen

Hi @jetersen, Thank you for your effort. RnD will investigate it and update accordantly.

Thanks, Natanel

chkp-natanelm avatar Oct 23 '22 17:10 chkp-natanelm

Hi @jetersen, Could you share an example of your environment or how you use it? When I try to deploy the solution directly it is not working with the changes in #183.

As far as I can see, the google provider is still needed if you want to deploy it directly. The GOOGLE_APPLICATION_CREDENTIALS var is not working for me, at least when I deploy it directly.

In terraform/gcp/autoscale-into-new-vpc/main.tf, you left the service_account_path variable.

Best regards, Dima.

chkp-dmitrytc avatar Jan 08 '23 10:01 chkp-dmitrytc