Could not find schema node for xpath - rulebase

[ryanpodonnell1]

Describe the bug

panos_panorama_security_policy is unable to be applied due to the following error "Could not find schema node for xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='']/rulebase/security"

Expected behavior

Security Policy should be applied without error

Current behavior

The device groups are managed through terraform code, after successful creation of the DGs, the policy is attempted to be applied by terraform which results in the error

Possible solution

Only noticed the fact that "rulebase" is no longer in the /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name=''<REDACT>']/<NO LONGER HERE>/security path

This path seems to have been removed in PANOS v10 and should be removed from the documentation or noted in the field description

Steps to reproduce

on PANOS 10 attempt to apply policy to panos_panorama_security_policy rulebase in panorama using the terraform 1.8.0 provider. Only when I designated post-rulebase it worked

Screenshots

only pre-rulebase and post-rulebase appear to be present in PANOS V10

Context

Unable to apply security policy to the rulebase section of panorama

Your Environment

panorama AWS

[shinmog]

@ryanpodonnell1

The xpath is weird in your error... The device_group param defaults to "shared"; did you set it to an empty string in your plan file? device-group cannot be an empty string, it should either be "shared" or the name of a device group.

Also, the rulebase defaults to "pre-rulebase" but it seems to be set to "rulebase" in your config. I am pretty sure that you can only configure rulebase="rulebase" if device_group="shared", otherwise device_group needs to be set to a real device group in Panorama and rulebase should be either "pre-rulebase" or "post-rulebase".

Please share a plan file that shows the error if the above doesn't resolve the issue for you.

[ryanpodonnell1]

@shinmog gotcha yeah that empty string is me deleting my DG out as it had potentially sensitive naming in it. I swapped out "post-rulebase" to "rulebase" which gives me the original error. This is to a specific DG not "Shared"

# module.oci_external_hub.panos_panorama_security_rule_group.policies["post-rulebase"] will be destroyed
  - resource "panos_panorama_security_rule_group" "policies" {
      - device_group = "<REDACT>" -> null
      - id           = "<REDACT>:post-rulebase:0::SU5CT1VORC1TU0gKT1VUQk9VTkQtSFRUUFMKamZyb2cKZ2l0aHViLmNvbQpxdWFudGhvdXNlCnRlbXAtYWxsb3dhbGw=" -> null
      - rulebase     = "post-rulebase" -> null

      - rule {
          - action                             = "allow" -> null
          - applications                       = [
              - "ssh",
            ] -> null
          - categories                         = [
              - "any",
            ] -> null
          - destination_addresses              = [
              - "any",
            ] -> null
          - destination_zones                  = [
              - "TRUST",
            ] -> null
          - disable_server_response_inspection = false -> null
          - disabled                           = false -> null
          - hip_profiles                       = [
              - "any",
            ] -> null
          - icmp_unreachable                   = false -> null
          - log_end                            = true -> null
          - log_start                          = false -> null
          - name                               = "INBOUND-SSH" -> null
          - negate_destination                 = false -> null
          - negate_source                      = false -> null
          - negate_target                      = false -> null
          - services                           = [
              - "any",
            ] -> null
          - source_addresses                   = [
              - "<REDACT> Bastion Host",
            ] -> null
          - source_users                       = [
              - "any",
            ] -> null
          - source_zones                       = [
              - "UNTRUST",
            ] -> null
          - tags                               = [] -> null
          - type                               = "universal" -> null
        }
      - rule {
          - action                             = "allow" -> null
          - applications                       = [
              - "ssl",
            ] -> null
          - categories                         = [
              - "any",
            ] -> null
          - destination_addresses              = [
              - "any",
            ] -> null
          - destination_zones                  = [
              - "UNTRUST",
            ] -> null
          - disable_server_response_inspection = false -> null
          - disabled                           = false -> null
          - hip_profiles                       = [
              - "any",
            ] -> null
          - icmp_unreachable                   = false -> null
          - log_end                            = true -> null
          - log_start                          = false -> null
          - name                               = "OUTBOUND-HTTPS" -> null
          - negate_destination                 = false -> null
          - negate_source                      = false -> null
          - negate_target                      = false -> null
          - services                           = [
              - "any",
            ] -> null
          - source_addresses                   = [
              - "any",
            ] -> null
          - source_users                       = [
              - "any",
            ] -> null
          - source_zones                       = [
              - "TRUST",
            ] -> null
          - tags                               = [] -> null
          - type                               = "universal" -> null
        }
      - rule {
          - action                             = "allow" -> null
          - applications                       = [
              - "ssl",
              - "jfrog-artifactory",
            ] -> null
          - categories                         = [
              - "any",
            ] -> null
          - destination_addresses              = [
              - "<REDACT>",
            ] -> null
          - destination_zones                  = [
              - "UNTRUST",
            ] -> null
          - disable_server_response_inspection = false -> null
          - disabled                           = false -> null
          - hip_profiles                       = [
              - "any",
            ] -> null
          - icmp_unreachable                   = false -> null
          - log_end                            = true -> null
          - log_start                          = false -> null
          - name                               = "jfrog" -> null
          - negate_destination                 = false -> null
          - negate_source                      = false -> null
          - negate_target                      = false -> null
          - services                           = [
              - "any",
            ] -> null
          - source_addresses                   = [
              - "any",
            ] -> null
          - source_users                       = [
              - "any",
            ] -> null
          - source_zones                       = [
              - "TRUST",
            ] -> null
          - tags                               = [] -> null
          - type                               = "universal" -> null
        }
      - rule {
          - action                             = "allow" -> null
          - applications                       = [
              - "ssl",
              - "ssh",
              - "web-browsing",
              - "git-base",
              - "github-base",
            ] -> null
          - categories                         = [
              - "any",
            ] -> null
          - destination_addresses              = [
              - "github.com",
            ] -> null
          - destination_zones                  = [
              - "UNTRUST",
            ] -> null
          - disable_server_response_inspection = false -> null
          - disabled                           = false -> null
          - hip_profiles                       = [
              - "any",
            ] -> null
          - icmp_unreachable                   = false -> null
          - log_end                            = true -> null
          - log_start                          = false -> null
          - name                               = "github.com" -> null
          - negate_destination                 = false -> null
          - negate_source                      = false -> null
          - negate_target                      = false -> null
          - services                           = [
              - "any",
            ] -> null
          - source_addresses                   = [
              - "network-dev-cmp-lb",
            ] -> null
          - source_users                       = [
              - "any",
            ] -> null
          - source_zones                       = [
              - "TRUST",
            ] -> null
          - tags                               = [] -> null
          - type                               = "universal" -> null
        }
      - rule {
          - action                             = "allow" -> null
          - applications                       = [
              - "any",
            ] -> null
          - categories                         = [
              - "any",
            ] -> null
          - destination_addresses              = [
              - "<REDACT>/32",
            ] -> null
          - destination_zones                  = [
              - "UNTRUST",
            ] -> null
          - disable_server_response_inspection = false -> null
          - disabled                           = false -> null
          - hip_profiles                       = [
              - "any",
            ] -> null
          - icmp_unreachable                   = false -> null
          - log_end                            = true -> null
          - log_start                          = false -> null
          - name                               = "<REDACT>" -> null
          - negate_destination                 = false -> null
          - negate_source                      = false -> null
          - negate_target                      = false -> null
          - services                           = [
              - "<REDACT>-6051",
            ] -> null
          - source_addresses                   = [
              - "any",
            ] -> null
          - source_users                       = [
              - "any",
            ] -> null
          - source_zones                       = [
              - "TRUST",
            ] -> null
          - tags                               = [] -> null
          - type                               = "universal" -> null
        }
      - rule {
          - action                             = "allow" -> null
          - applications                       = [
              - "any",
            ] -> null
          - categories                         = [
              - "any",
            ] -> null
          - destination_addresses              = [
              - "any",
            ] -> null
          - destination_zones                  = [
              - "UNTRUST",
            ] -> null
          - disable_server_response_inspection = false -> null
          - disabled                           = false -> null
          - hip_profiles                       = [
              - "any",
            ] -> null
          - icmp_unreachable                   = false -> null
          - log_end                            = true -> null
          - log_start                          = false -> null
          - name                               = "temp-allowall" -> null
          - negate_destination                 = false -> null
          - negate_source                      = false -> null
          - negate_target                      = false -> null
          - services                           = [
              - "any",
            ] -> null
          - source_addresses                   = [
              - "network-dev-cmp-lb",
            ] -> null
          - source_users                       = [
              - "any",
            ] -> null
          - source_zones                       = [
              - "TRUST",
            ] -> null
          - tags                               = [] -> null
          - type                               = "universal" -> null
        }
    }

  # module.oci_external_hub.panos_panorama_security_rule_group.policies["rulebase"] will be created
  + resource "panos_panorama_security_rule_group" "policies" {
      + device_group = "<REDACT>"
      + id           = (known after apply)
      + rulebase     = "rulebase"

      + rule {
          + action                             = "allow"
          + applications                       = [
              + "ssh",
            ]
          + categories                         = [
              + "any",
            ]
          + destination_addresses              = [
              + "any",
            ]
          + destination_zones                  = [
              + "TRUST",
            ]
          + disable_server_response_inspection = false
          + disabled                           = false
          + hip_profiles                       = [
              + "any",
            ]
          + icmp_unreachable                   = false
          + log_end                            = true
          + log_start                          = false
          + name                               = "INBOUND-SSH"
          + negate_source                      = false
          + services                           = [
              + "any",
            ]
          + source_addresses                   = [
              + "<REDACT>t",
            ]
          + source_users                       = [
              + "any",
            ]
          + source_zones                       = [
              + "UNTRUST",
            ]
          + type                               = "universal"
        }
      + rule {
          + action                             = "allow"
          + applications                       = [
              + "ssl",
            ]
          + categories                         = [
              + "any",
            ]
          + destination_addresses              = [
              + "any",
            ]
          + destination_zones                  = [
              + "UNTRUST",
            ]
          + disable_server_response_inspection = false
          + disabled                           = false
          + hip_profiles                       = [
              + "any",
            ]
          + icmp_unreachable                   = false
          + log_end                            = true
          + log_start                          = false
          + name                               = "OUTBOUND-HTTPS"
          + negate_source                      = false
          + services                           = [
              + "any",
            ]
          + source_addresses                   = [
              + "any",
            ]
          + source_users                       = [
              + "any",
            ]
          + source_zones                       = [
              + "TRUST",
            ]
          + type                               = "universal"
        }
      + rule {
          + action                             = "allow"
          + applications                       = [
              + "ssl",
              + "jfrog-artifactory",
            ]
          + categories                         = [
              + "any",
            ]
          + destination_addresses              = [
              + "<REDACT>",
            ]
          + destination_zones                  = [
              + "UNTRUST",
            ]
          + disable_server_response_inspection = false
          + disabled                           = false
          + hip_profiles                       = [
              + "any",
            ]
          + icmp_unreachable                   = false
          + log_end                            = true
          + log_start                          = false
          + name                               = "jfrog"
          + negate_source                      = false
          + services                           = [
              + "any",
            ]
          + source_addresses                   = [
              + "any",
            ]
          + source_users                       = [
              + "any",
            ]
          + source_zones                       = [
              + "TRUST",
            ]
          + type                               = "universal"
        }
      + rule {
          + action                             = "allow"
          + applications                       = [
              + "ssl",
              + "ssh",
              + "web-browsing",
              + "git-base",
              + "github-base",
            ]
          + categories                         = [
              + "any",
            ]
          + destination_addresses              = [
              + "github.com",
            ]
          + destination_zones                  = [
              + "UNTRUST",
            ]
          + disable_server_response_inspection = false
          + disabled                           = false
          + hip_profiles                       = [
              + "any",
            ]
          + icmp_unreachable                   = false
          + log_end                            = true
          + log_start                          = false
          + name                               = "github.com"
          + negate_source                      = false
          + services                           = [
              + "any",
            ]
          + source_addresses                   = [
              + "network-dev-cmp-lb",
            ]
          + source_users                       = [
              + "any",
            ]
          + source_zones                       = [
              + "TRUST",
            ]
          + type                               = "universal"
        }
      + rule {
          + action                             = "allow"
          + applications                       = [
              + "any",
            ]
          + categories                         = [
              + "any",
            ]
          + destination_addresses              = [
              + "<REDACT>"
          + destination_zones                  = [
              + "UNTRUST",
            ]
          + disable_server_response_inspection = false
          + disabled                           = false
          + hip_profiles                       = [
              + "any",
            ]
          + icmp_unreachable                   = false
          + log_end                            = true
          + log_start                          = false
          + name                               = "<REDACT>"
          + negate_source                      = false
          + services                           = [
              + "<REDACT>",
            ]
          + source_addresses                   = [
              + "any",
            ]
          + source_users                       = [
              + "any",
            ]
          + source_zones                       = [
              + "TRUST",
            ]
          + type                               = "universal"
        }
      + rule {
          + action                             = "allow"
          + applications                       = [
              + "any",
            ]
          + categories                         = [
              + "any",
            ]
          + destination_addresses              = [
              + "any",
            ]
          + destination_zones                  = [
              + "UNTRUST",
            ]
          + disable_server_response_inspection = false
          + disabled                           = false
          + hip_profiles                       = [
              + "any",
            ]
          + icmp_unreachable                   = false
          + log_end                            = true
          + log_start                          = false
          + name                               = "temp-allowall"
          + negate_source                      = false
          + services                           = [
              + "any",
            ]
          + source_addresses                   = [
              + "network-dev-cmp-lb",
            ]
          + source_users                       = [
              + "any",
            ]
          + source_zones                       = [
              + "TRUST",
            ]
          + type                               = "universal"
        }
    }

[ryanpodonnell1]

Error: Could not get schema node for xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='<REDACT>']/rulebase/security/rules/entry[@name='INBOUND-SSH']

  on modules/config-oci/security_rule_groups.tf line 1, in resource "panos_panorama_security_rule_group" "policies":
   1: resource "panos_panorama_security_rule_group" "policies" {

[shinmog]

@ryanpodonnell1

Oh, I think I understand what you're saying. You redacted the device group from the initial error message, but didn't populate it with REDACT like you did below.

So then that's the problem: There is no "rulebase" for a specific device group, it's only pre-rulebase / post-rulebase. rulebase="rulebase" is valid however for the shared scope: device_group="shared".

I could update the docs to make this more clear, but this is not a bug with either the provider or PAN-OS.

[shinmog]

Err, I posted that before I saw your response, GitHub having issues today.

[ryanpodonnell1]

@shinmog Yeah that all makes sense thank you we probably can close this out then