Open abeeson opened 2 years ago
:tada: Thanks for opening your first issue here! Welcome to the community!
Test files are provided here and should contain the minimum required to replicate this.
providers.tf.txt pano-terraform-issue.tf.txt versions.tf.txt
Palo engineering are working on a fix for this, but their approach appears to be removing the ability to have OR in XPATH calls.
This will have major impacts on Terraform's current operations and is referenced in PA TAC Case#: 01856318
The listed versions this will be in is 10.0.10 and 10.1.5 at this point.
Describe the bug
Creation and removal of security rules and DAGs in Panorama results in null reference errors that can only be fixed with a management server process restart.
This issue appears to occur when you create and remove a series of security rules in a group, whilst using DAGs on those rules.
I have a case open with Palo Alto for this (NTT SVR127593239 and PAN-179059) and they've identified an issue with the MongoDB cache not being cleaned up properly during calls to the XML API where OR is used, resulting in the reference errors.
I'm pursuing them for a fix on this, but as a workaround migrating these calls to individual deletes without using OR, or migrating to the REST API instead of the XML would also remove this problem.
Expected behavior
apply and destroy should work without issue
Current behavior
Creation of resources that meet certain conditions then results in a broken panorama when a destroy is run.
Possible solution
See above - I expect the real fix is on the Panorama end, to handle the OR XML delete properly.
Steps to reproduce
I'll attach a terraform config to replicate this.
Screenshots
Not currently available, but I can dig them up if required.
Context
Removal of applications set up in our data centre now requires an additional step of restarting the entire panorama management process when they have to be removed. This is not a common occurrence however.
Your Environment