Problem with ipsec on 1.9.2 (was working on 1.8.3)

jon-larsen commented 2 years ago

Describe the bug

panos_ike_gateway is generating error in version 1.9.2 probably related to ike-crypto-profile

Expected behavior

it should not generate error

Current behavior

terraform apply
~
panos_ike_gateway.ike-gateway: Creating...
╷
│ Error: ipsec-prod_tf -> protocol -> ikev2 -> ike-crypto-profile '::ipsec-prod_tf' is invalid | ipsec-prod_tf -> protocol -> ikev2 -> ike-crypto-profile is invalid
│ 
│   with panos_ike_gateway.ike-gateway,
│   on ipsec.tf line 20, in resource "panos_ike_gateway" "ike-gateway":
│   20: resource "panos_ike_gateway" "ike-gateway" {

Possible solution

This was working in version 1.8.3

Steps to reproduce

Config used for ike crypto and ike gateway:

resource "panos_ike_crypto_profile" "ike-crypto-profile" {
    name = "ipsec-prod_tf"
    dh_groups = ["group14"]
    authentications = ["sha256"]
    encryptions = ["aes-256-cbc"]
    lifetime_value = 28800
    lifetime_type = "seconds"
    authentication_multiple = 3
}

resource "panos_ike_gateway" "ike-gateway" {
    name = "ipsec-prod_tf"
    version = "ikev2"
    peer_ip_type = "ip"
    peer_ip_value = "1.2.3.4"
    local_ip_address_type = "ip"
    local_ip_address_value = "1.2.3.5/32"
    interface = "loopback.1"
    pre_shared_key = "ThisIsNotMyPSK"
    ikev2_crypto_profile = panos_ike_crypto_profile.ike-crypto-profile.id
    enable_liveness_check = true
    liveness_check_interval = 5
}

Context

I'm using terraform to create IPsec VPN tunnel on the Palo Alto firewall.

Your Environment

PA-5250 - v.9.1.12-h3

Version used: Terraform v1.1.4, panos provider v1.9.2
Environment name and version (e.g. Chrome 59, node.js 5.4, python 3.7.3): GNU bash, version 5.0.17(1)-release
Operating System and version (desktop or mobile): Ubuntu 20.04.3 LTS (desktop)
Link to your project: Not public

welcome-to-palo-alto-networks[bot] commented 2 years ago

:tada: Thanks for opening your first issue here! Welcome to the community!

shinmog commented 2 years ago

Ah. You're using id field instead of the name field, that's why. The id field is never really used for anything external to the panos provider itself, you almost always want the name of another resource.

So change this line:

        ikev2_crypto_profile = panos_ike_crypto_profile.ike-crypto-profile.id

To this:

        ikev2_crypto_profile = panos_ike_crypto_profile.ike-crypto-profile.name

...and it should work again.

jon-larsen commented 2 years ago

You are so very correct! Thanks!

PaloAltoNetworks / terraform-provider-panos