terraform-provider-checkpoint icon indicating copy to clipboard operation
terraform-provider-checkpoint copied to clipboard
verified publisher icon CheckPointSW

Policy package not setting install targets to none

Open deutmeyerbrianpfg opened this issue 5 months ago • 2 comments

When creating a policy package for use with an autoscale group for CME, we are trying to set the install targets to None by default.

resource "checkpoint_management_package" "autoscale" {
  count = var.autoscale_firewall_policy ? 1 : 0

  name                 = var.package_name
  comments             = var.package_comment
  access               = true
  threat_prevention    = true
  installation_targets = []
  tags                 = var.tags

  lifecycle {
    ignore_changes = [installation_targets]
  }
}

We then ignore changes to the installation_targets for CME to manage it. When the package is created, it defaults to All gateways. The state files accurately represents the fact it's an empty list, but management doesn't match.

The management APIs calls out a list is supported: https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/add-package~v2.0.1%20

deutmeyerbrianpfg avatar Sep 12 '25 20:09 deutmeyerbrianpfg

Hi @deutmeyerbrianpfg,

Thank you for the report. It appears empty lists aren’t handled correctly in this scenario. We’re investigating and will address this in the next provider release.

Regards, Tomer.

chkp-tomerassa avatar Sep 14 '25 13:09 chkp-tomerassa

Hi @deutmeyerbrianpfg,

After further investigation, we found that this issue originates from the Terraform SDK itself. In the current SDK version, there’s no way to distinguish between an empty list and a null (unset) value. It seems that newer SDK versions include a solution for this behavior. We plan to upgrade the provider to a newer Terraform SDK and will share an update once the upgrade is complete.

Regards, Tomer.

chkp-tomerassa avatar Oct 27 '25 16:10 chkp-tomerassa