Updating terraform checkpoint provider from 1.4 to 1.6 causing weird apply plans

[LockeColtenPFG]

After bumping from 1.4 to 1.6, the terraform plan that was generated appears to want to modify our existing Access Role objects to some weird syntax

For example

users {
~ selection = [
- "company-AWS-AD-awsnumber-dba",
+ "ad_group_companyawsnumberdba",
]

The next apply after the update caused this to appear in the plan. It switched our selections syntax, preprended ad_group_ to the name, and removed the hyphens from the existing selection

This happened to every AR object we had defined (30ish)

Another oddity we noticed as the source we defined in an AR randomly thought it was cpmiADgroup

and wanted to modify itself back to the original value that had never changed

Is this expected behavior in 1.6?

[chkp-alonshev]

Hi @LockeColtenPFG,
Thank you for submitting this issue, there was a problem with the read function and we fixed it.
Both issues you have mentioned still have API related problems.

1. Selection name: MGMT server adds 'ad_group_' prefix to each name and the provider use these names as is. We will try to find a solution for it in the next version.

2. Source name: access-role API show function does not return the source per object so we cannot currently support many AD groups. For now the provider only support single AD group with name CpmiAdGroup and the problem should not appear anymore. We will allow to use different name on the next provider's version, but note that we need the API to be changed to allow more than one AD group.

Thank you,
Alon

[deutmeyerbrianpfg]

By saying you "fixed" it, will the new provider version act like how it did in 1.4.0 and not report all these changes? If yes, can you issue a fix release (like 1.6.1) for this so we don't have to downgrade our provider?

[chkp-alonshev]

Hi @deutmeyerbrianpfg
Publishing new version takes time(even if it is a sub-version) we will try to fix and release the version as soon as possible.
about your question, We are still working on a fix and I will be able to answer properly after we will fix this issue.

[b-diggity]

Any update on a fix for this?

[chkp-alonshev]

Hi @b-diggity,
We are working on this fix, there is no ETA, but it will be published in Q1.

[deutmeyerbrianpfg]

I see PR #95 was created, but a fix for this doesn't appear to be included? Q1 is winding down...is this still going to be fixed this quarter?

[chkp-alonshev]

Hi @deutmeyerbrianpfg ,
unfortunately this issue will not be fixed soon due to API limitations, I am sorry for saying it will be published Q1.
We need to wait for the API to be fixed in order for us to fix this issue properly.
as I said before "For now the provider only support single AD group with name CpmiAdGroup and the problem should not appear anymore." hope you can find it useful. We will publish a solution when the API command will allow us to.

I will comment here on any progress, and we will fix this issue when possible.
Sorry for the inconvenience.
Alon.

[deutmeyerbrianpfg]

Can you post a code example for what you are referring to with CpmiAdGroup?

[chkp-alonshev]

resource "checkpoint_management_access_role" "example" {
name = "New Access Role 1"
machines {
source = "any"
selection = ["any"]
}
users {
source = CpmiAdGroup
selection = ["AD1", "AD2"]
}
}

note that this solution will still show the change LockeColtenPFG mentioned in the selection :
"
For example

users {
~ selection = [

• "company-AWS-AD-awsnumber-dba",

• "ad_group_companyawsnumberdba",
  ]
  "
  So it will not solve the issue. it will just resolve the source change.

[deutmeyerbrianpfg]

So this code results in changes:

resource "checkpoint_management_access_role" "example" {
  name = "example_ar"
  users {
    source    = "myad.com__AD"
    selection = ["MY GROUP NAME"]
  }
}

Are you saying that that I can change my source to CpmiAdGroup and the validation errors will go away as long as only one group is used in the selection? Like this?:

resource "checkpoint_management_access_role" "example" {
  name = "example_ar"
  users {
    source    = "CpmiAdGroup"
    selection = ["MY GROUP NAME"]
  }
}

[chkp-alonshev]

Hi @deutmeyerbrianpfg
sorry for the late response.
because of the API issue you will still get a validation error on the selection field as mentioned by LockeColtenPFG.
It will only disable the validation error on the source field.
I will let you know as soon as we will find a solution to this issue.

[watnenatePFG]

Hi @chkp-alonshev is there still no fix for this? It is causing our pipeline to run very slow due to all the updates it thinks it needs to make each time. Do we need to submit an API enhancement request with our account team? Thanks for keeping after this one.

[chkp-royl]

Hi,
This is API issue and not relevant to the provider.
It was fix in version R82 and probably will be on the JHFs as well.

Regards,
Roy

[watnenatePFG]

Thanks for the reply, Roy!

Are you able to elaborate a little more on what is missing in the API that creates this problem? I'd like to get a formal enhancement request into our account team. This is causing an extreme slowdown on our side, and I'd like to make sure that it is truly incorporated into R82.

It's been almost two years now so I could be mistaken, but I don't recall this being a problem when we first started using this provider. According to the first post of this thread, it looks like something changed between 1.4 and 1.6. Do you recall why the API limitation wasn't a problem until then?

[chkp-royl]

API is missing data for terraform so access-role resource cannot work properly.
According to change log, access role resource was changed in v1.5, the resource did not work good before that because incorrect logic of some fields In v1.5 we fixed some bugs in the resource given the missing data we receive from the API but from R82 this issue was resolved.