CheckPointSW / terraform-provider-checkpoint

Terraform provider for Check Point
https://www.terraform.io/docs/providers/checkpoint/
Mozilla Public License 2.0
28 stars 40 forks source link

Changing the Layer of Access Rule Causes Error #79

Closed deutmeyerbrianpfg closed 9 months ago

deutmeyerbrianpfg commented 3 years ago

Changing the layer ID of a rule and position causes an error.

To re-create:

  1. Create a rule on layer 1
  2. Change the layer ID to be the ID of layer 2

Expected output:

  1. Destroy the rule on layer 1
  2. Build the rule on layer 2
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.my_rule.checkpoint_management_access_rule.this will be updated in-place
  ~ resource "checkpoint_management_access_rule" "this" {
        id                 = "0c691b46-d4ec-4c3b-acc8-6969d5ab8571"
      ~ layer              = "28e6905f-b0d9-46c4-8669-4e325cb698a5" -> "f0ebe7fa-b699-4696-ba47-6693eabf3797"
        name               = "firewall rule name"
      ~ position           = {
          ~ "above" = "a0420c72-0704-453b-aac3-9c55cf20210d" -> "94dcf9a5-420b-4679-ae2d-4203ab826960"
        }
        # (20 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
module.my_rule.checkpoint_management_access_rule.this: Modifying... [id=0c691b46-d4ec-4c3b-acc8-6969d5ab8571]
╷
│ Error: failed to execute API call
│ Status: 404 Not Found
│ Code: generic_err_object_not_found
│ Message: Requested object [Entities can not be found] not found
│ 
│   with module.my_rule.checkpoint_management_access_rule.this,
│   on .terraform/modules/rule/main.tf line 1, in resource "checkpoint_management_access_rule" "this":
│    1: resource "checkpoint_management_access_rule" "this" {
│ 
╵
Error: Terraform exited with code 1.
Error: Process completed with exit code 1.
chkp-royl commented 3 years ago

Hi @deutmeyerbrianpfg ,

You can't modify rule layer like the way you did. Management API does not support layer changing as you can see in the access-rule documentation: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/set-access-rule~v1.8%20 You should first delete rule resource and then create new resource configuration with the new layer.

Regards, Roy

b-diggity commented 3 years ago

Isn't there a way you can make a change like this force a replacement? Forcing a replacement causes terraform to destroy the resource and build a new one.

It seems silly I need to run my pipeline twice as you've mentioned. I could also change the resource name when this happens, which would destroy and build new. Ultimately, if the provider could force replacement, that would be best for pipeline runs.

Here is an example: https://registry.terraform.io/providers/AviatrixSystems/aviatrix/latest/docs/resources/aviatrix_site2cloud#custom_mapped Changing custom_mapped from false to true forced a replacement, which destroyed the resource and rebuilt it in a single run.

Here is the code: https://github.com/AviatrixSystems/terraform-provider-aviatrix/blob/master/aviatrix/resource_aviatrix_site2cloud.go#L268 ForceNew: true,

I think you could add ForceNew: true, after this line: https://github.com/CheckPointSW/terraform-provider-checkpoint/blob/master/checkpoint/resource_checkpoint_management_access_rule.go#L33

Thanks!

chkp-royl commented 3 years ago

Hi @b-diggity ,

Thanks for suggesting this new feature. We need to see if there are no edge cases in your solution and if not, we can add it to the next version of Check Point provider. Terraform is open source so you can add this line locally and build provider so it won't block your work.

Regards, Roy

b-diggity commented 3 years ago

Sure. I opened a PR for this just to help contribute.