Problem Description:
I am encountering a Python ValueError when attempting to specify the position of an access rule using either the position or relative_position parameter in the check_point.mgmt.cp_mgmt_access_rule module. This issue occurs when providing dictionary-based position arguments (e.g., top, below, first_in_section), leading to a module failure.
Observed Behavior:
The cp_mgmt_access_rule task fails with distinct ValueError messages depending on whether position or relative_position is used. Both indicate a failure in the module's internal parsing of these parameters when they receive dictionary inputs.
When using position: { below: "SECTION_NAME" } (or first_in_section):
The module returns a ValueError: invalid literal for int() with base 10: "{'KEY': 'VALUE'}". This suggests the module is incorrectly attempting to convert the string representation of the dictionary directly into an integer.
Full Error Output Example (for position: { below: 'database specifiek' }):
{
"module_stdout": "",
"module_stderr": "Traceback (most recent call last):\n File "/home/runner/.ansible/tmp/ansible-local-21i1eh66tq/ansible-tmp-1749887438.5968103-128-81110727482672/AnsiballZ_cp_mgmt_access_rule.py", line 107, in \n _ansiballz_main()\n File "/home/runner/.ansible/tmp/ansible-local-21i1eh66tq/ansible-tmp-1749887438.5968103-128-81110727482672/AnsiballZ_cp_mgmt_access_rule.py", line 99, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File "/home/runner/.ansible/tmp/ansible-local-21i1eh66tq/ansible-tmp-1749887438.5968103-128-81110727482672/AnsiballZ_cp_mgmt_access_rule.py", line 47, in invoke_module\n runpy.run_module(mod_name='ansible_collections.check_point.mgmt.plugins.modules.cp_mgmt_access_rule', init_globals=dict(_module_fqn='ansible_collections.check_point.mgmt.plugins.modules.cp_mgmt_access_rule', _modlib_path=modlib_path),\n File "/usr/lib64/python3.9/runpy.py", line 225, in run_module\n return _run_module_code(code, init_globals, run_name, mod_spec)\n File "/usr/lib64/python3.9/runpy.py", line 97, in _run_module_code\n _run_code(code, mod_globals, init_globals,\n File "/usr/lib64/python3.9/runpy.py", line 87, in _run_code\n exec(code, run_globals)\n File "/tmp/ansible_check_point.mgmt.cp_mgmt_access_rule_payload_fj671bzi/ansible_check_point.mgmt.cp_mgmt_access_rule_payload.zip/ansible_collections/check_point/mgmt/plugins/modules/cp_mgmt_access_rule.py", line 491, in \n File "/tmp/ansible_check_point.mgmt.cp_mgmt_access_rule_payload_fj671bzi/ansible_check_point.mgmt.cp_mgmt_access_rule_payload.zip/ansible_collections/check_point/mgmt/plugins/modules/cp_mgmt_access_rule.py", line 485, in main\n File "/tmp/ansible_check_point.mgmt.cp_mgmt_access_rule_payload_fj671bzi/ansible_check_point.mgmt.cp_mgmt_access_rule_payload.zip/ansible_collections/check_point/mgmt/plugins/module_utils/checkpoint.py", line 1341, in api_call_for_rule\n File "/tmp/ansible_check_point.mgmt.cp_mgmt_access_rule_payload_fj671bzi/ansible_check_point.mgmt.cp_mgmt_access_rule_payload.zip/ansible_collections/check_point/mgmt/plugins/module_utils/checkpoint.py", line 1301, in is_equals_with_all_params\n File "/tmp/ansible_check_point.mgmt.cp_mgmt_access_rule_payload_fj671bzi/ansible_check_point.mgmt.cp_mgmt_access_rule_payload.zip/ansible_collections/check_point/mgmt/plugins/module_utils/checkpoint.py", line 1230, in is_equals_with_position_param\n File "/tmp/ansible_check_point.mgmt.cp_mgmt_access_rule_payload_fj671bzi/ansible_check_point.mgmt.cp_mgmt_access_rule_payload.zip/ansible_collections/check_point/mgmt/plugins/module_utils/checkpoint.py", line 1026, in get_number_and_section_from_position\nValueError: invalid literal for int() with base 10: "{'below': 'database specifiek'}"\n",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1,
"_ansible_no_log": null,
"changed": false
}
When using relative_position: { top: "SECTION_NAME" } (or below, above):
The module returns a ValueError: too many values to unpack (expected 4). This indicates that the module's internal parsing logic for relative_position is failing to correctly unpack data, implying an issue with how the dictionary input is processed.
Full Error Output Example (for relative_position: { top: 'database specifiek' }):
{
"module_stdout": "",
"module_stderr": "Traceback (most recent call last):\n File "/home/runner/.ansible/tmp/ansible-local-21v8m8o0sm/ansible-tmp-1749892108.6217246-151-109966106194365/AnsiballZ_cp_mgmt_access_rule.py", line 107, in \n _ansiballz_main()\n File "/home/runner/.ansible/tmp/ansible-local-21v8m8o0sm/ansible-tmp-1749892108.6217246-151-109966106194365/AnsiballZ_cp_mgmt_access_rule.py", line 99, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File "/home/runner/.ansible/tmp/ansible-local-21v8m8o0sm/ansible-tmp-1749892108.6217246-151-109966106194365/AnsiballZ_cp_mgmt_access_rule.py", line 47, in invoke_module\n runpy.run_module(mod_name='ansible_collections.check_point.mgmt.plugins.modules.cp_mgmt_access_rule', init_globals=dict(module_fqn='ansible_collections.check_point.mgmt.plugins.modules.cp_mgmt_access_rule', modlib_path=modlib_path),\n File "/usr/lib64/python3.9/runpy.py", line 225, in run_module\n return run_module_code(code, init_globals, run_name, mod_spec)\n File "/usr/lib64/python3.9/runpy.py", line 97, in run_module_code\n run_code(code, mod_globals, init_globals,\n File "/usr/lib64/python3.9/runpy.py", line 87, in run_code\n exec(code, run_globals)\n File "/tmp/ansible_check_point.mgmt.cp_mgmt_access_rule_payload_os0sw16/ansible_check_point.mgmt.cp_mgmt_access_rule_payload.zip/ansible_collections/check_point/mgmt/plugins/modules/cp_mgmt_access_rule.py", line 491, in \n File "/tmp/ansible_check_point.mgmt.cp_mgmt_access_rule_payload_os0sw16/ansible_check_point.mgmt.cp_mgmt_access_rule_payload.zip/ansible_collections/check_point/mgmt/plugins/modules/cp_mgmt_access_rule.py", line 485, in main\n File "/tmp/ansible_check_point.mgmt.cp_mgmt_access_rule_payload_os0sw16/ansible_check_point.mgmt.cp_mgmt_access_rule_payload.zip/ansible_collections/check_point/mgmt/plugins/module_utils/checkpoint.py", line 1341, in api_call_for_rule\n File "/tmp/ansible_check_point.mgmt.cp_mgmt_access_rule_payload_os0sw16/ansible_check_point.mgmt.cp_mgmt_access_rule_payload.zip/ansible_collections/check_point/mgmt/plugins/module_utils/checkpoint.py", line 1301, in is_equals_with_all_params\n File "/tmp/ansible_check_point.mgmt.cp_mgmt_access_rule_payload_os0sw16/ansible_check_point.mgmt.cp_mgmt_access_rule_payload.zip/ansible_collections/check_point/mgmt/plugins/module_utils/checkpoint.py", line 1230, in is_equals_with_position_param\n File "/tmp/ansible_check_point.mgmt.cp_mgmt_access_rule_payload_os0sw16/ansible_check_point.mgmt.cp_mgmt_access_rule_payload.zip/ansible_collections/check_point/mgmt/plugins/module_utils/checkpoint.py", line 1076, in get_number_and_section_from_position\nValueError: too many values to unpack (expected 4)\n",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1,
"_ansible_no_log": null,
"changed": false
}
Expected Behavior:
The cp_mgmt_access_rule module should correctly parse the position and relative_position parameters when provided as dictionaries (e.g., top, below, first_in_section) according to the Check Point API specifications and collection documentation. The task should successfully place the access rule at the specified location without Python tracebacks.
Evidence of Regression / Version Mismatch:
My current environment uses check_point.mgmt collection version 5.1.3.
The official documentation for check_point.mgmt (e.g., on Ansible Galaxy) currently indicates version 6.4.0.
Crucially, the exact playbook syntax using relative_position: { top: "SECTION_NAME" } was working correctly in a previous, undetermined version of the check_point.mgmt collection in my environment. This suggests a regression in version 5.1.3.
Steps to Reproduce:
Ensure you have ansible-core 2.14.1 and check_point.mgmt 5.1.3 installed.
Have a Check Point management server with an access layer and a section (or rule) named "database specifiek".
Execute an Ansible playbook containing a task similar to the following:
YAML
- name: Attempt to add Access Rule with relative_position (Reproduces "too many values to unpack")
check_point.mgmt.cp_mgmt_access_rule:
layer: "AccessLayerName"
name: "TestRuleRelativePosition"
source: "any"
destination: "any"
service: "any"
action: "Accept"
relative_position:
top: "database specifiek"
vars:
ansible_user: "{{ check_point_username }}"
ansible_password: "{{ check_point_password }}"
ansible_checkpoint_domain: "{{ domain }}"
tags:
- cp_mgmt_access_rule
Environment Details:
Ansible Core Version: 2.14.1
ansible-playbook [core 2.14.1]
python version = 3.9.18
Check Point.Mgmt Collection (Installed): 5.1.3
Output of ansible-galaxy collection list check_point.mgmt:
Collection Version
check_point.mgmt 5.1.3
Request:
Could you please investigate this issue in check_point.mgmt collection version 5.1.3? If this is a known bug that has been fixed in newer versions (like 6.4.0), please confirm. As I am operating in a controlled environment (sandbox/Ansible Tower) where I cannot directly manage collection updates, any guidance on a fix for version 5.1.3, or confirmation of a fix in a specific newer version, would be greatly appreciated.
Hi @jeantihomme
We recommend upgrading to the latest versions which contain bug-fixes and new features.
Note that the position param accepts only a string e.g position: 1 or position: "top", not a dictionary.
Only relative_position is of type dictionary with the following options:
suboptions:
below:
description:
- Add rule below specific rule/section identified by name (limited to 50 rules if
search_entire_rulebase is False).
type: str
above:
description:
- Add rule above specific rule/section identified by name (limited to 50 rules if
search_entire_rulebase is False).
type: str
top:
description:
- Add rule to the top of a specific section identified by name (limited to 50 rules if
search_entire_rulebase is False).
type: str
bottom:
description:
- Add rule to the bottom of a specific section identified by name (limited to 50 rules if
search_entire_rulebase is False).
type: str
https://github.com/CheckPointSW/CheckPointAnsibleMgmtCollection/blob/master/plugins/modules/cp_mgmt_access_rule.py
Regards,
Eden
CheckPointSW
