CheckPointSW / terraform-provider-checkpoint

Terraform provider for Check Point
https://www.terraform.io/docs/providers/checkpoint/
Mozilla Public License 2.0
28 stars 40 forks source link

Bug: Access Rules using inline layers breaks on subsequent deployments #60

Closed SMBurrows closed 3 years ago

SMBurrows commented 3 years ago

Using the following configuration:

resource "checkpoint_management_access_rule" "sensitive_access" {
  action = "Apply Layer"
  destination = [
    "Any",
  ]
  inline_layer = checkpoint_management_access_layer.sensitive_servers.name
  layer        = "Network"
  name         = "Access Sensitive Servers"
  position = {
    below = checkpoint_management_access_rule.marketing.id
  }
  service = [
    "any",
  ]
  source = [
    "any",
  ]
}

resource "checkpoint_management_access_layer" "sensitive_servers" {
  add_default_rule               = true
  applications_and_url_filtering = true
  firewall                       = true
  name                           = "SensitiveServers"
}

Running terraform apply and publishing in Check Point will be successful the first time.

Making a change to the config will result in the terraform plan displaying that it will change the following:

# module.access-rules.checkpoint_management_access_rule.sensitive_access will be updated in-place
  ~ resource "checkpoint_management_access_rule" "sensitive_access" {
      ~ action             = "Inner Layer" -> "Apply Layer"

And running apply again will display a 400 error saying that the inline-layer was not defined even though it is still in the HCL:

Error: failed to execute API call
Status: 400 Bad Request
Code: generic_err_missing_required_parameters
Message: Missing parameter: [inline-layer]

I am assuming that because the state changes to "Inner Layer" the resource does not pass in the inline-layer data to the API call?

Tested on: Windows 10, MacOSX 11.1 Terraform v13.5 Check Point Provider v1.3

chkp-royl commented 3 years ago

Hi @SMBurrows , Thank you for reporting this bug. It looks like validation error that if action is 'Apply Layer' the parameter inline-layer shouldn't be null in the API call. We will fix that in the next version of provider. If it's urgent, I suggest to add the following code to update access rule function where we handle "action" parameter (line 873) and build provider locally: if val, ok := d.GetOk("inline_layer"); ok { accessRule["inline-layer"] = val.(string) }

Thanks, Roy

chkp-royl commented 3 years ago

Hi @SMBurrows ,

We released version v1.4.0 that includes fix for this bug. Please upgrade the provider and let us know if this issue still happen to you.

Thanks, Roy