search

PaloAltoNetworks / terraform-provider-panos

Terraform Panos provider
https://www.terraform.io/docs/providers/panos/
Mozilla Public License 2.0
87 stars 71 forks source link

panos_panorama_security_policy can't add rules to rulebase chain #275

Closed happosade closed 2 years ago

happosade commented 3 years ago

Describe the bug

Having a clean Panorama rulebase (as in, no rules added yet), and trying to add new rules, to default rulebase ends up in failure of creating those rules. Targeting post-rulebase does work as expected.

Have not been tested with existing rule base or with pre-rulebase.

Expected behavior

Expecting to having new rules to be added to Panorama

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Current behavior

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # panos_panorama_security_policy.example will be created
  + resource "panos_panorama_security_policy" "example" {
      + device_group = "DEVICE-GROUP"
      + id           = (known after apply)
      + rulebase     = "rulebase"

      + rule {
          + action                = "allow"
          + applications          = [
              + "any",
            ]
          + categories            = [
              + "any",
            ]
          + destination_addresses = [
              + "any",
            ]
          + destination_zones     = [
              + "any",
            ]
          + hip_profiles          = [
              + "any",
            ]
          + log_end               = true
          + name                  = "Rule from terraform"
          + services              = [
              + "application-default",
            ]
          + source_addresses      = [
              + "any",
            ]
          + source_users          = [
              + "any",
            ]
          + source_zones          = [
              + "any",
            ]
          + type                  = "universal"
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

panos_panorama_security_policy.example: Creating...

Error: Could not find schema node for xpath /config/devices/entry[@name='localhost.localdomain']/device-group/entry[@name='DEVICE-GROUP']/rulebase/security/rules

  on policies.tf line 1, in resource "panos_panorama_security_policy" "example":
   1: resource "panos_panorama_security_policy" "example" {

FATAL: Failed to execute `terraform apply` (1)

Same outcome if not targeting specific group of devices, but using the default shared

Possible solution

Maybe something to do with x-path, as that's the only thing in outputs. :monocle_face:

Steps to reproduce

  1. Have a Panorama with clean rulebase (not sure if necessary)
  2. Using following terraform 
    resource "panos_panorama_security_policy" "example" {
device_group = "DEVICE-GROUP"
rulebase     = "rulebase"
rule {
name                  = "Rule from terraform"
source_users          = ["any"]
hip_profiles          = ["any"]
source_zones          = ["any"]
destination_zones     = ["any"]
source_addresses      = ["any"]
destination_addresses = ["any"]
applications          = ["any"]
services              = ["application-default"]
categories            = ["any"]
action                = "allow"
tags                  = []
}
}
  3. terraform apply
  4. Should fail

Screenshots

N/A

Context

Your Environment

terraform {
  required_providers {
    panos = {
      source  = "PaloAltoNetworks/panos"
      version = "1.8.2"
    }
  }
}
Panorama Detail
VM Mode VMware ESXi
Software Version 9.0.12

Terraform v0.14.10

shinmog commented 3 years ago

When configuring security rules in Panorama, you have three choices:

  1. rulebase:pre-rulebase with device_group:(a specific device group)
  2. rulebase:post-rulebase with device_group:(a specific device group)
  3. rulebase:rulebase with device_group:shared

You're attempting to configure rulebase:rulebase with a specific device group, which is not a valid combination for Panorama.

I feel like this is the second time I've seen this happen, so I'm going to leave this issue open as a reminder to put some code in the provider to check for invalid combinations and error out with a more descriptive error so users know this.

happosade commented 3 years ago

Ah, that's correct. I think I was doing rules in nested a group that'd be in one level deeper in hierarchy, but since I didn't have that, I was trying to put the rules in to the rulebase.

If I wasn't the first one opening this issue, maybe this is such specific error, that it could say that it's not allowed as per Panorama?

Thanks for pointing out that, I absolutely forgot it :sweat_smile: :+1: