search

PaloAltoNetworks / terraform-provider-panos

Terraform Panos provider
https://www.terraform.io/docs/providers/panos/
MIT License
89 stars 71 forks source link

Plan is changing resource parameters to null #315

Closed jghal closed 2 years ago

jghal commented 2 years ago

Describe the bug

We have some pipelines running with provider version 1.8.2, and the AWS 9.1.x AMI. We will sometimes see output in the plan that the values for parameters we didn't explicitly set in code are going to be changed to null. Code like this

resource "panos_security_rule_group" "hvsec" {
  depends_on       = [
    aws_ssm_parameter.firewall_panos_commit_destroy,
    panos_service_object.blast,
  ]
  position_keyword      = "before"
  position_reference    = "baseconfig-interzone-custom"
  rule {
    name                  = "inbound-hv-security-blast"
    source_zones          = [var.panos_source_zones_name]
    source_addresses      = ["any"]
    source_users          = ["any"]
    hip_profiles          = ["any"]
    destination_zones     = [var.panos_destination_zones_name]
    destination_addresses = var.hvsec_private_ip_list
    applications          = ["any"]
    services              = ["service-blast"]
    categories            = ["any"]
    action                = "allow"
  }

  rule {
    name                  = "inbound-hv-security-https"
    source_zones          = [var.panos_source_zones_name]
    source_addresses      = ["any"]
    source_users          = ["any"]
    hip_profiles          = ["any"]
    destination_zones     = [var.panos_destination_zones_name]
    destination_addresses = var.hvsec_private_ip_list
    applications          = ["any"]
    services              = ["service-https"]
    categories            = ["any"]
    action                = "allow"
  }
}

and then the plan has this for both rules

          - spyware                            = "strict-1" -> null
            tags                               = []
            type                               = "universal"
          - virus                              = "default-1" -> null
          - vulnerability                      = "strict-1" -> null

What is actually going to happen on an apply? Will this be making changes to the configuration, or is it just overly verbose chatter about the plan file which won't actually do anything to the environment.

welcome-to-palo-alto-networks[bot] commented 2 years ago

:tada: Thanks for opening your first issue here! Welcome to the community!

shinmog commented 2 years ago

In this case, what you have on live is a security rule that currently has the spyware security profile set to "strict-1", but it will be removed if you apply it. The same for the virus and vulnerability security profile settings. If you want to keep those settings, then add them to the plan file as appropriate.

jghal commented 2 years ago

Thanks.