search

PaloAltoNetworks / terraform-provider-panos

Terraform Panos provider
https://www.terraform.io/docs/providers/panos/
Mozilla Public License 2.0
87 stars 71 forks source link

invalid panos_security_policy causes all policies to be removed even though apply fails #272

Closed neil-wwt closed 3 years ago

neil-wwt commented 3 years ago

Describe the bug

When applying an invalid panos_security_policy, any rules defined manually or outside the current terraform are deleted even though the apply errors out and fails.

While it is true and documented that...

This resource will remove any security rule not defined in your plan file.

...it is not expected that this would happen if apply does not complete successfully.

Expected behavior

The apply should fail and existing firewall rules are unchanged.

Current behavior

The apply fails and all existing firewall rules are removed.

Possible solution

I'm guessing there is a missing catch somewhere? Or maybe it's not actually invalid, just incorrect, and apply should not fail? Regardless, how it behaves now is wrong.

Steps to reproduce

  1. Manually create a policy rule
  2. Create an invalid panos_security_policy resource (like the one below. note foobar)
  3. Terraform apply -> yes -> error.
  4. Check the gui. See that the manually created rule is gone.
resource "panos_security_policy" "example" {
    rule {
        name = "allow everything lolwat"
        source_zones = ["any"]
        source_addresses = ["any"]
        source_users = ["any"]
        hip_profiles = ["any"]
        destination_zones = ["foobar"]
        destination_addresses = ["any"]
        applications = ["any"]
        services = ["application-default"]
        categories = ["any"]
        action = "allow"
    }
}

error

panos_security_policy.example: Creating...

Error:  allow everything lolwat -> to is invalid

  on main.tf line 16, in resource "panos_security_policy" "example":
  16: resource "panos_security_policy" "example" {

Screenshots

Context

If the new set of rules is intended to replace functionality of existing rules (like if rules were defined manually and now being codified to have the same behavior) but there is a coding mistake, this leaves the firewall is a broken state.

Your Environment

neil-wwt commented 3 years ago

sweet! thanks! I'm excited to use this fix in our environment. What's the release cycle like?

shinmog commented 3 years ago

Hrm, wanted to do a minor release, but no need to hold this fix hostage. So can cut a release now for you.

neil-wwt commented 3 years ago

awesome. thanks!!

SheeroRajput commented 2 months ago

Hi Neil, i would like to connect, i am facing issue creating my code on terraform, its says unsupported argument

│ Error: Unsupported argument │ │ on main.tf line 2872, in resource "panos_security_policy" "rule_Clean_up_Rule": │ 2872: log_end = false │ │ An argument named "log_end" is not expected here.

Need your suggestion here.