User_check not supported in access_rule resource

[simontsang2021]

Hi

As per documentation, the checkpoint_management_access_rule resource should support a "user_check" configuration block within the resource. However, I'm receiving the following error:

╷
│ Error: Unsupported argument
│ 
│   on main.tf line 21, in resource "checkpoint_management_access_rule" "policy_rules":
│   21:    user_check = {
│ 
│ An argument named "user_check" is not expected here. Did you mean to define
│ a block of type "user_check"?
╵
ERRO[0101] 1 error occurred:
        * exit status 1

My code:

resource "checkpoint_management_access_rule" "policy_rules" {
.......

   user_check = {
      interaction = "Blocked Message - Access Control" 

   }

Can you advise whether this is a bug or am I missing something?

Thanks Simon

[chkp-alonshev]

Hi @simontsang2021 , When you get the following error message: " │ An argument named "user_check" is not expected here. Did you mean to define │ a block of type "user_check"? " it means that you should implement the argument like this:

 user_check  {
    interaction = "Blocked Message - Access Control" 
 }

and not like this:

  user_check = {
      interaction = "Blocked Message - Access Control" 
  }

the difference is that you do not need the equals sign ('=') when you define a block.

Alon.

[simontsang2021]

Ah user error. Thank you.

[simontsang2021]

Even though terraform now accepts it, after publishing the change I dont see the expected changes. Are there any other required parameters within the policy rule to setup the action to Drop with Blocked Message - Access control?

[chkp-alonshev]

Hi @simontsang2021 , Thank you for submitting this issue, we will fix it on the next provider's version.

[chkp-alonshev]

Hi @simontsang2021 , After investigating this issue, It seems like something is wrong with your configuration. please note that in order to set user_check field you need to:

1. set the rule's access layer's field "applications_and_url_filtering" or "Content_awareness" to true.
2. make sure the rule's action is drop.

for example:

resource "checkpoint_management_access_layer" "layer1" { name = "layer1" applications_and_url_filtering = true }

resource "checkpoint_management_access_rule" "rule1" { layer = checkpoint_management_access_layer.layer1.name position = {top = "top"} name = "test1" action = "Drop" source = ["DMZNet", "DMZZone", "WirelessZone"] enabled = true destination = ["InternalNet", "CPDShield"] user_check { interaction = "Blocked Message - Access Control" } }

Alon.

[simontsang2021]

Hi Alon

Thank you for continuing to investigate on this. However, the layer itself was already setup as an application and url filtering + content awareness layer. Whats interesting is that I've redeployed my code today and it successfully added the user check interaction to the rule.

I done further testing and it appears the issue is that it allows you to create it initially but it will not allow to add or remove it after. Looks like a bug to me.

Simon

[bmyers-dev]

Hi @chkp-alonshev, @chkp-royl - I think the issue is with the update statement found in the access_rule resource. Looks to be a typo to me, where the code is looking for "web_server" on update instead of "interaction". That could explain why it works on rule creation but not rule update. I experienced the same bug this week in our deployments. https://github.com/CheckPointSW/terraform-provider-checkpoint/pull/137