This is the Terraform provider for managing Check Point Workforce AI and Check Point Browse Security policies as code.
The provider is based on the public AI Security OpenAPI and Browse Security OpenAPI specifications.
Add the provider to your Terraform configuration:
terraform {
required_providers {
cpwai = {
source = "CheckPointSW/checkpoint-workforce-ai"
version = "~> 1.0"
}
}
}Then run:
terraform initConfigure the provider with your CloudInfra API credentials and region.
provider "cpwai" {
client_id = var.checkpoint_client_id
access_key = var.checkpoint_access_key
region = "us"
}Depending on which product you want to manage, create the appropriate API key:
- Go to the Infinity Portal API Keys page.
- Click New > New Account API Key.
- In the Service dropdown select Workforce AI Security and create the key.
- Copy the Client ID and Secret Key (Access Key).
- Go to the Infinity Portal API Keys page.
- Click New > New Account API Key.
- In the Service dropdown select Browser Security and create the key.
- Copy the Client ID and Secret Key (Access Key).
For more information, see Infinity Portal Administration Guide.
| Region | Gateway URL |
|---|---|
Europe (eu) |
https://cloudinfra-gw.portal.checkpoint.com |
United States (us) |
https://cloudinfra-gw-us.portal.checkpoint.com |
terraform {
required_providers {
cpwai = {
source = "CheckPointSW/checkpoint-workforce-ai" version = "~> 1.0"
}
}
}
variable "checkpoint_client_id" {
type = string
sensitive = true
}
variable "checkpoint_access_key" {
type = string
sensitive = true
}
provider "cpwai" {
client_id = var.checkpoint_client_id
access_key = var.checkpoint_access_key
region = "us"
}
# Block uploading credit card numbers to AI services
resource "cpwai_workforce_ai_chats_rule" "block_credit_cards" {
name = "Block Credit Card Uploads"
description = "Prevent PII leakage to AI services"
order = 0
active = true
policy = jsonencode({
event_type = "file_upload"
action = "prevent"
logging = "enabled"
services_and_application = {
mode = "all"
}
data_types = [
{
id = "cf0523c1-537e-4a4b-8bb8-084b7b9e0b45"
name = "Credit Card Number"
type = "PRE_DEFINED"
}
]
})
source = [
{
assignment_type = "ASSIGNMENT_TYPE_ENTIRE_ORG"
}
]
}Set credentials via environment variables:
export TF_VAR_checkpoint_client_id="your-client-id"
export TF_VAR_checkpoint_access_key="your-access-key"Then apply:
terraform init
terraform plan
terraform apply| Resource | Description |
|---|---|
cpwai_workforce_ai_chats_rule |
DLP rules for AI chat services |
cpwai_workforce_ai_access_rule |
Access control rules for AI services |
cpwai_workforce_ai_agents_rule |
Policy rules for AI agents and MCP servers |
| Resource | Description |
|---|---|
cpwai_browse_dlp_rule |
DLP rules for web browsing services |
cpwai_browse_access_rule |
Access control rules for web browsing |
cpwai_browse_secure_browsing_rule |
Secure browsing rules (phishing, password reuse) |
cpwai_browse_file_protection_object |
Reusable file protection policy objects |
cpwai_browse_domains_object |
Reusable domain list policy objects |
| Data Source | Description |
|---|---|
cpwai_workforce_ai_chats_rulebase |
Read the current Workforce AI chats rulebase |
cpwai_workforce_ai_access_rulebase |
Read the current Workforce AI access rulebase |
cpwai_workforce_ai_agents_rulebase |
Read the current Workforce AI agents rulebase |
cpwai_browse_dlp_rulebase |
Read the current Browse DLP rulebase |
cpwai_browse_access_rulebase |
Read the current Browse access rulebase |
cpwai_browse_secure_browsing_rulebase |
Read the current Browse secure browsing rulebase |
- Provider Documentation
- Getting Started Guide
- Policy Reference
- AI Applications Catalog
- DLP Data Types
In case of an issue or a bug found in the provider, please open an issue.
- Haim Kastner - haimk@checkpoint.com