Panic when creating exception_group with applied_threat_rules

[neinkob15]

I am currently trying to create a resource of type "exception_group" and applying that to a threat-rule.

This is the relevant Terraform code I'm using:

resource checkpoint_management_exception_group gr1 {
    apply_on = "manually-select-threat-rules"
    applied_threat_rules {
      layer = "Terraform_gbl Threat Prevention"   # the name of the policy-layer
      name = "rule_name"
      position = {
          below = "8eef7df4-32f8-40ec-ae21-fdd9af620739" # some id of an existing threat-rule
      }
    }
    comments = "abc123"
    ignore_errors = true
    ignore_warnings = true
    name = "My_Custom_Exception_Group"
}

The result I get is a provider-panic with the following stack-trace:

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

checkpoint_management_exception_group.gr1: Creating...
╷
│ Error: Plugin did not respond
│
│   with checkpoint_management_exception_group.gr1,
│   on main.tf line 21, in resource "checkpoint_management_exception_group" "gr1":
│   21: resource checkpoint_management_exception_group gr1 {
│
│ The plugin encountered an error, and failed to respond to the plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may contain more details.
╵

Stack trace from the terraform-provider-checkpoint_v2.2.0.exe plugin:

panic: interface conversion: interface {} is map[string]interface {}, not string

goroutine 39 [running]:
github.com/CheckPointSW/terraform-provider-checkpoint/checkpoint.createManagementExceptionGroup(0xc000eee7e0, 0x1694e80, 0xc000654000, 0x2, 0x1f84e00)
        github.com/CheckPointSW/terraform-provider-checkpoint/checkpoint/resource_checkpoint_management_exception_group.go:155 +0x1339
github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Resource).Apply(0xc000707540, 0xc000ee8820, 0xc000ada380, 0x1694e80, 0xc000654000, 0x158e101, 0xc00032f498, 0xc000ebdc50)
        github.com/hashicorp/terraform-plugin-sdk@v1.17.0/helper/schema/resource.go:320 +0x395
github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Provider).Apply(0xc00018c300, 0xc000c99a38, 0xc000ee8820, 0xc000ada380, 0xc000880988, 0xc0004a1280, 0x1590140)
        github.com/hashicorp/terraform-plugin-sdk@v1.17.0/helper/schema/provider.go:294 +0xa5
github.com/hashicorp/terraform-plugin-sdk/internal/helper/plugin.(*GRPCProviderServer).ApplyResourceChange(0xc00054c790, 0x1905710, 0xc000ebc660, 0xc000eee0e0, 0xc00054c790, 0xc000ebc660, 0xc000ef9ba0)
        github.com/hashicorp/terraform-plugin-sdk@v1.17.0/internal/helper/plugin/grpc_provider.go:895 +0x8c5
github.com/hashicorp/terraform-plugin-sdk/internal/tfplugin5._Provider_ApplyResourceChange_Handler(0x1679a20, 0xc00054c790, 0x1905710, 0xc000ebc660, 0xc000760900, 0x0, 0x1905710, 0xc000ebc660, 0xc000efc580, 0x289)
        github.com/hashicorp/terraform-plugin-sdk@v1.17.0/internal/tfplugin5/tfplugin5.pb.go:3305 +0x222
google.golang.org/grpc.(*Server).processUnaryRPC(0xc0006b2540, 0x190efb8, 0xc000085380, 0xc000ef2000, 0xc0005aa570, 0x1f2e760, 0x0, 0x0, 0x0)
        google.golang.org/grpc@v1.32.0/server.go:1194 +0x52b
google.golang.org/grpc.(*Server).handleStream(0xc0006b2540, 0x190efb8, 0xc000085380, 0xc000ef2000, 0x0)
        google.golang.org/grpc@v1.32.0/server.go:1517 +0xd0c
google.golang.org/grpc.(*Server).serveStreams.func1.2(0xc000700170, 0xc0006b2540, 0x190efb8, 0xc000085380, 0xc000ef2000)
        google.golang.org/grpc@v1.32.0/server.go:859 +0xb2
created by google.golang.org/grpc.(*Server).serveStreams.func1
        google.golang.org/grpc@v1.32.0/server.go:857 +0x1fd

Error: The terraform-provider-checkpoint_v2.2.0.exe plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

I looked up the problem in the source code and I found this line: https://github.com/CheckPointSW/terraform-provider-checkpoint/blob/ba65f5d4377a7adb48b29964a32c4a0302183cf5/checkpoint/resource_checkpoint_management_exception_group.go#L155 where it tries to convert the position attribute (v) of type Map/Object into a string.

I would be happy about a fix :)

[chkp-edenbr]

Thanks for notifying us, it will be checked.

[chkp-royl]

Hi @neinkob15 , We fixed exception group position in provider version 2.3.0. Please use this version and let us know if you still face any issue.

Regards, Roy

[neinkob15]

Hi, I still have an issue with this one. I am using the new version 2.3.0 The creation of an exception group with the position is now working correctly. However, the update of the position does not work:

See this example:

resource checkpoint_management_exception_group gr1 {
    apply_on = "manually-select-threat-rules"
    applied_threat_rules {
      layer = "Terraform_gbl Threat Prevention"
      name = "first_rule"
      position = {
          below = "id1"
      }
    }
    name = "Some Exception Group"
}

If I change the position argument in this resource from id1 to id2, it would error with the following message:

╷
│ Error: failed to execute API call
│ Status: 400 Bad Request
│ Code: generic_err_missing_required_parameters
│ Message: Missing parameter: [applied-threat-rules.0.layer]
│
│   with checkpoint_management_exception_group.gr1,
│   on main.tf line 21, in resource "checkpoint_management_exception_group" "gr1":
│   21: resource checkpoint_management_exception_group gr1 {
│

This is because in the "updateManagementExceptionGroup"-function, it does include the layer-attribute only if it changed, and the api backend does expect the layer attribute always.

[chkp-royl]

Seems correct. we need to take all parameters in case applied-threat-rules has changed. We will fix that in the next release, re-open issue to let everyone know about it.

[chkp-adambar]

Bug was fixed. please use latest provider. thanks.