search

PaloAltoNetworks / terraform-provider-panos

Terraform Panos provider
https://www.terraform.io/docs/providers/panos/
Mozilla Public License 2.0
87 stars 71 forks source link

panos_ipsec_tunnel: specifying tunnel_monitor_proxy_id fails #245

Open matthewhembree opened 3 years ago

matthewhembree commented 3 years ago

Describe the bug

When specifying tunnel_monitor_proxy_id for panos_ipsec_tunnel, the modification fails.

Expected behavior

The tunnel_monitor_proxy_id for panos_ipsec_tunnel should succeed.

Current behavior

When adding a tunnel_monitor_proxy_id to a panos_ipsec_tunnel the provider seems to recreate all of the associated panos_ipsec_tunnel_proxy_id_ipv4 objects, based on the resulting plan. This seems to cause a sequencing issue or race condition as the proxy-id doesn't seem to exist at the time it is being set on the panos_ipsec_tunnel.

Possible solution

Possibly do not flush the panos_ipsec_tunnel_proxy_id_ipv4 objects when adding a tunnel_monitor_proxy_id.

Steps to reproduce

The following data is from a redacted/example config and plan. This mirrors my sensitive configuration and output.

################
# Interfaces
################
resource "panos_tunnel_interface" "partner-tunnel-interface" {
  name    = "tunnel.101"
  comment = "Partner Tunnel Interface"
  static_ips = [
    "6.6.6.6"
  ]
}

resource "panos_virtual_router_entry" "vre-tunnel-101" {
  virtual_router = panos_virtual_router.default.name
  interface      = panos_tunnel_interface.partner-tunnel-interface.name
}

################
# VPN
################
resource "panos_ike_crypto_profile" "partner-ike-crypto-profile" {
  name                    = "partner-ike-crypto-profile"
  dh_groups               = ["group14"]
  authentications         = ["sha512"]
  encryptions             = ["aes-256-cbc"]
  lifetime_value          = 28800
  lifetime_type           = "seconds"
  authentication_multiple = 3
}

resource "panos_ike_gateway" "partner-ike-gw" {
  name                     = "partner-gw"
  interface                = "ethernet1/1"
  version                  = "ikev2"
  auth_type                = "pre-shared-key"
  pre_shared_key           = "CHANGE_ME"
  local_id_type            = "ipaddr"
  local_id_value           = "5.5.5.5"
  peer_ip_type             = "ip"
  peer_ip_value            = "9.9.9.9"
  peer_id_type             = "ipaddr"
  peer_id_value            = "9.9.9.9"
  ikev2_crypto_profile     = panos_ike_crypto_profile.partner-ike-crypto-profile.name
  enable_nat_traversal     = true
  nat_traversal_keep_alive = 60
  disabled                 = true
}

resource "panos_ipsec_crypto_profile" "partner-ipsec-crypto-profile" {
  name            = "partner-ipsec-crypto-profile"
  authentications = ["sha512"]
  encryptions     = ["aes-256-cbc"]
  dh_group        = "group14"
  lifetime_type   = "seconds"
  lifetime_value  = 3600
}

resource "panos_monitor_profile" "partner-tunnel-monitor-profile" {
  name      = "partner-tunnel-monitor-profile"
  interval  = 60
  threshold = 3
  action    = "wait-recover"
}

resource "panos_ipsec_tunnel" "partner-ipsec-tunnel" {
  name                    = "partner-ipsec-tunnel"
  tunnel_interface        = panos_tunnel_interface.partner-tunnel-interface.name
  ak_ike_gateway          = panos_ike_gateway.partner-ike-gw.name
  ak_ipsec_crypto_profile = panos_ipsec_crypto_profile.partner-ipsec-crypto-profile.name
  enable_tunnel_monitor   = true
  tunnel_monitor_profile  = panos_monitor_profile.partner-tunnel-monitor-profile.name
  # tunnel_monitor_proxy_id = panos_ipsec_tunnel_proxy_id_ipv4.partner-proxy-id-monitor.name # Circular reference :(
  tunnel_monitor_proxy_id       = "partner-tunnel-monitor"
  tunnel_monitor_source_ip      = "6.6.6.6"
  tunnel_monitor_destination_ip = "8.8.8.8"
}

# Interoperability with non PanOS peers.
# Proxy IDs
resource "panos_ipsec_tunnel_proxy_id_ipv4" "partner-proxy-id-1" {
  ipsec_tunnel = panos_ipsec_tunnel.partner-ipsec-tunnel.name
  name         = "partner-1"
  local        = "7.7.7.7/32"
  remote       = "8.0.0.0/8"
  protocol_any = true
}

resource "panos_ipsec_tunnel_proxy_id_ipv4" "partner-proxy-id-monitor" {
  ipsec_tunnel = panos_ipsec_tunnel.partner-ipsec-tunnel.name
  name         = "partner-tunnel-monitor"
  local        = "6.6.6.6"
  remote       = "8.8.8.8"
  protocol_any = true
}

In the following plan, I am only adding tunnel_monitor_proxy_id. The panos_ipsec_tunnel_proxy_id_ipv4 objects already exist in state and on the device.

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create
  ~ update in-place

Terraform will perform the following actions:

  # panos_ipsec_tunnel.partner-ipsec-tunnel will be updated in-place
  ~ resource "panos_ipsec_tunnel" "partner-ipsec-tunnel" {
        ak_ike_gateway                = "partner-gw"
        ak_ipsec_crypto_profile       = "partner-ipsec-crypto-profile"
        anti_replay                   = false
        copy_flow_label               = false
        copy_tos                      = false
        disabled                      = false
        enable_ipv6                   = false
        enable_tunnel_monitor         = true
        gps_prefer_ipv6               = false
        gps_publish_connected_routes  = false
        gps_publish_routes            = []
        id                            = "partner-ipsec-tunnel"
        name                          = "partner-ipsec-tunnel"
        tunnel_interface              = "tunnel.101"
        tunnel_monitor_destination_ip = "8.8.8.8"
        tunnel_monitor_profile        = "partner-tunnel-monitor-profile"
      + tunnel_monitor_proxy_id       = "partner-tunnel-monitor"
        tunnel_monitor_source_ip      = "6.6.6.6"
        type                          = "auto-key"
    }

  # panos_ipsec_tunnel_proxy_id_ipv4.partner-proxy-id-1 will be created
  + resource "panos_ipsec_tunnel_proxy_id_ipv4" "partner-proxy-id-1" {
      + id           = (known after apply)
      + ipsec_tunnel = "partner-ipsec-tunnel"
      + local        = "7.7.7.7"
      + name         = "partner-1"
      + protocol_any = true
      + remote       = "8.0.0.0/8"
    }

  # panos_ipsec_tunnel_proxy_id_ipv4.partner-proxy-id-monitor will be created
  + resource "panos_ipsec_tunnel_proxy_id_ipv4" "partner-proxy-id-monitor" {
      + id           = (known after apply)
      + ipsec_tunnel = "partner-ipsec-tunnel"
      + local        = "6.6.6.6"
      + name         = "partner-tunnel-monitor"
      + protocol_any = true
      + remote       = "8.8.8.8/32"
    }

Plan: 2 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

panos_ipsec_tunnel.partner-ipsec-tunnel: Modifying... [id=partner-ipsec-tunnel]

Error:  partner-ipsec-tunnel -> tunnel-monitor -> proxy-id is invalid

  on policy-partner.tf line 135, in resource "panos_ipsec_tunnel" "partner-ipsec-tunnel":
 135: resource "panos_ipsec_tunnel" "partner-ipsec-tunnel" {

Releasing state lock. This may take a few moments...

Context

Trying to monitor a tunnel that has been established with a Cisco ASA (policy-based) device. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHACA0

Your Environment

Thanks!