search

PaloAltoNetworks / terraform-provider-panos

Terraform Panos provider
https://www.terraform.io/docs/providers/panos/
Mozilla Public License 2.0
87 stars 70 forks source link

PANOS Address Object Data source Returns success, but null. #288

Closed stobias123 closed 1 year ago

stobias123 commented 3 years ago

Describe the bug

Trying to find an address object that does not exist, results in the data block returning successfully, but empty.

Expected behavior

I expect it to fail at the data block telling me resource not found.

Current behavior

Downstream modules that depend on this data block attempt to apply, but fail due to the value being null.

Steps to reproduce

data "panos_address_object" "blah" {
    provider = panos.SLC-panorama
    name = "I-Dont-exist"
}
resource "panos_panorama_security_rule_group" "rules" {
    device_group = each.key
    rulebase = "post-rulebase"
    #description = "Panorama fw rule. - target for ${var.app_name} - managed by TF."
    ## We should put this at the bottom.
    ## position_reference = "deny everything else"
    rule {
        name = "${var.app_name}-linux-to-foobar"
        description = "${var.ticket_number} - ${var.app_name}"
        source_zones = ["Trust"]
        destination_zones = ["Untrust_WAN"]
        source_addresses = var.src_address_groups
        destination_addresses = [data.panos_address_object.blah.name]
        source_users = ["any"] # default
        hip_profiles = ["any"] # default

        applications = ["web-browsing","yum","ssl"]
        services = ["application-default"] # default
        categories = ["any"] # default
        action = "allow"
        tags = ["terraform"]
    }
}

Error: Null value found in list

  on main.tf line 207, in resource "panos_panorama_security_rule_group" "rules":
 207:         destination_addresses = [ data.panos_address_object.syslog.name ]

Null values are not allowed for this attribute value.

Your Environment

Terraform v0.12.24
+ provider.aws v3.25.0
+ provider.panos v1.8.2
+ provider.vault v2.19.1
shinmog commented 2 years ago

It seems like Terraform is doing the right thing here, as is the provider.

When a data source (or resource) performs a read operation, if that thing doesn't exist for whatever reason, the provider is supposed to set the Id to an empty string. This tells Terraform that the thing doesn't exist anymore and it's removed from state. In the case of resources, this tells Terraform that it would need to re-create (or create for the first time) this resource, which is why "this doesn't exist" cannot be an error.

Here, since the provider sets the Id to empty for data.panos_address_object.blah, Terraform knows it doesn't exist, and then you try to use a null in the panos_panorama_security_rule_group.rules resource. Terraform knows that it cannot use a null and errors out without invoking any create/update operation.

shinmog commented 1 year ago

Closing as the question has been answered.