CloudGuardIaaS icon indicating copy to clipboard operation
CloudGuardIaaS copied to clipboard
verified publisher icon CheckPointSW

allow provider to be passed by the caller

Open jetersen opened this issue 3 years ago • 3 comments 

The Terraform configuration must be valid before initialization so that
Terraform can determine which modules and providers need to be installed.
│ Error: Module is incompatible with count, for_each, and depends_on
│ 
│   on modules/region-hub/main.tf line 16, in module "checkpoint":
│   16:     module.vpcs
│ 
│ The module at module.region_europe-west2.module.checkpoint.module.checkpointsw-cloudguardiaas
│ is a legacy module which contains its own local provider configurations, and so calls to it may
│ not use the count, for_each, or depends_on arguments.
│ 
│ If you also control the module
│ "git::https://github.com/CheckPointSW/CloudGuardIaaS.git?ref=72d58cf//terraform/gcp/high-availability",
│ consider updating this module to instead expect provider configurations to be passed by its
│ caller.

This is the piece that breaks the modern module support.

https://github.com/CheckPointSW/CloudGuardIaaS/blob/51702a157970a34496104d7cbc7e4d0e44f872e6/terraform/gcp/high-availability/main.tf#L1-L5

Should create a versions.tf instead, something like this: https://github.com/terraform-google-modules/terraform-google-network/blob/a93fd8ba6075dff58abdd3dbcb4487c29abc7168/modules/vpc/versions.tf#L17-L24

jetersen avatar Aug 19 '22 15:08 jetersen

you can argue var.service_account_path is obsolete or should have never been used as you can provide the credentials via GOOGLE_APPLICATION_CREDENTIALS environment variable: https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#authentication

or the fact that you can use gcloud auth application-default login locally

jetersen avatar Aug 19 '22 15:08 jetersen

Not sure why the readmes suggest you forking or copying the modules instead of sourcing it. I was trying to achieve the following:

modules/checkpoint/main.tf

module "checkpointsw-cloudguardiaas" {
  # https://github.com/CheckPointSW/CloudGuardIaaS/commit/72d58cf8ccc204654da1ac37abb89d0b8ffd5999
  source = "github.com/CheckPointSW/CloudGuardIaaS//terraform/gcp/high-availability?ref=72d58cf"

  # Google provider
  project = var.project_id

  # Checkpoint deployment
  prefix = var.prefix
  license = var.license
  image_name = var.image_name

  # Instances configuration
  region = var.region
  zoneA = var.zoneA
  zoneB = var.zoneB
  machine_type = var.machine_type
  disk_type = var.disk_type
  disk_size = var.disk_size
  admin_SSH_key = var.admin_SSH_key
  enable_monitoring = var.enable_monitoring

  # Checkpoint configuration
  management_network = var.management_network
  sic_key = var.sic_key
  generate_password = var.generate_password
  allow_upload_download = var.allow_upload_download
  admin_shell = var.admin_shell

  # VPC configuration
  cluster_network_name = var.vpcs[0].network_name
  cluster_network_subnetwork_name = var.vpcs[0].subnets[0].subnetwork_name
  mgmt_network_name = var.vpcs[1].network_name
  mgmt_network_subnetwork_name = var.vpcs[1].subnets[0].subnetwork_name
  internal_network1_name = var.vpcs[2].network_name
  internal_network1_subnetwork_name = var.vpcs[2].subnets[0].subnetwork_name
  internal_network2_name = var.vpcs[3].network_name
  internal_network2_subnetwork_name = var.vpcs[3].subnets[0].subnetwork_name
}

modules/region-hub-infra/main.tf

module "vpcs" {
  source = "./../vpcs"
  vpcs = var.vpcs
  prefix = local.prefix
}

module "checkpoint" {
  source = "./../checkpoint"
  region = var.region
  zoneA = "${var.region}-a"
  zoneB = "${var.region}-b"
  project_id = var.project_id
  vpcs = module.vpcs.vpcs
  prefix = local.prefix
  depends_on = [
    module.vpcs
  ]
}

jetersen avatar Aug 19 '22 15:08 jetersen

This would be fixed by #183 I excluded it to gcp for now to test it out first. Potentially the pattern should be applied to the other terraform modules.

jetersen avatar Aug 19 '22 18:08 jetersen

Hi @jetersen, Thank you for your effort. RnD will investigate it and update accordantly.

Thanks, Natanel

chkp-natanelm avatar Oct 23 '22 17:10 chkp-natanelm

Hi @jetersen, Could you share an example of your environment or how you use it? When I try to deploy the solution directly it is not working with the changes in #183.

As far as I can see, the google provider is still needed if you want to deploy it directly. The GOOGLE_APPLICATION_CREDENTIALS var is not working for me, at least when I deploy it directly.

In terraform/gcp/autoscale-into-new-vpc/main.tf, you left the service_account_path variable.

Best regards, Dima.

chkp-dmitrytc avatar Jan 08 '23 10:01 chkp-dmitrytc