Configure Inbound Decryption for PAN-OS 10.2+ enhancement

[jamesholland-uk]

Is your feature request related to a problem?

Configuring a decryption rule for inbound inspection from 10.2+ results in an error. Task:

- name: test_panos_decryption_rule - Create inbound inspection rule
  paloaltonetworks.panos.panos_decryption_rule:
    provider: '{{ device }}'
    name: 'Test'
    source_zones: ['inside']
    source_addresses: ['any']
    destination_zones: ['outside']
    destination_addresses: ['1.1.1.1']
    services: ['service-https']
    action: 'decrypt'
    decryption_type: 'ssl-inbound-inspection'
    ssl_certificate: 'local-ca'
    decryption_profile: 'default'

Error: fatal: [panos-10dot2]: FAILED! => {"changed": false, "msg": "Failed create: Test -> type -> ssl-inbound-inspection unexpected here\n Test -> type -> ssl-inbound-inspection is unexpected \n Test -> type is invalid"}

The XML schema changes in 10.2 to accommodate a new feature allowing multiple certificates to be used. The parameter for a certificate changed from a single string (the cert name) to a list of strings (a list of cert names).

Describe the solution you'd like

Accommodate all current supported version of PAN-OS for creating decryption rules for inbound inspection.

Describe alternatives you've considered

N/A

Additional context

N/A

[shinmog]

This is going to require a pan-os-python change: paloaltonetworks/pan-os-python#521

[bgre033]

As per SimonT's post in Live, adding lines 1241 and 1242, and commenting out 1243 resolves the issue. I only tested with a single certificate though.

.../panos/policies.py

1238         params.append(
1239             VersionedParamPath(
1240                 "ssl_certificate",
1241                 vartype="member",
1242                 path="type/{decryption_type}/certificates/",
1243                 #path="type/{decryption_type}",
1244                 condition={"decryption_type": "ssl-inbound-inspection",},
1245             )
1246         )