panos_panorama_security_rule_group not being applied via terraform apply

[ShreyasNBS]

Describe the bug

I have a simple terraform module for panorama config, which is creating a new template, template stack, device group and a security rule group. Code below

//  Panorama template and template stack
resource "panos_panorama_template" "test_ew_template" {
  name = "test east west template"
}

resource "panos_panorama_template_stack" "test_ew_stack" {
  name      = "test west west template stack"
  templates = [var.shared-base-template-name, panos_panorama_template.test_ew_template.name]
}

resource "panos_panorama_management_profile" "trust" {
  name     = "Trust Management Profile"
  template = panos_panorama_template.test_ew_template.name
  ping     = true
  ssh      = true
}

resource "panos_panorama_ethernet_interface" "data" {
  name                      = "ethernet1/1"
  comment                   = "Data interface. This is a trust interface since east-west traffic is internal traffic."
  vsys                      = "vsys1"
  mode                      = "layer3"
  enable_dhcp               = true
  create_dhcp_default_route = true
  template                  = panos_panorama_template.test_ew_template.name
  management_profile        = panos_panorama_management_profile.trust.name
}

// Virtual router
resource "panos_panorama_virtual_router" "pano_ew_vr" {
  name = "pano_vr"
  interfaces = [
    panos_panorama_ethernet_interface.data.name
  ]
  template = panos_panorama_template.test_ew_template.name
}

// Security zones
resource "panos_panorama_zone" "data" {
  name       = "data-zone"
  mode       = "layer3"
  interfaces = [panos_panorama_ethernet_interface.data.name]
  template   = panos_panorama_template.test_ew_template.name
}

resource "panos_panorama_device_group" "test_ew_dg" {
  name = "test east west device group"
}

resource "panos_panorama_security_rule_group" "test_ew_sg_allow_all" {
  device_group = panos_panorama_device_group.test_ew_dg.name
  rule {
    name                  = "Allow everything"
    source_zones          = ["any"]
    source_addresses      = ["any"]
    source_users          = ["any"]
    hip_profiles          = ["any"]
    destination_zones     = ["any"]
    destination_addresses = ["any"]
    applications          = ["any"]
    services              = ["application-default"]
    categories            = ["any"]
    action                = "allow"
  }
}

When I run terraform plan, I get the output as expected

  # module.panorama-config.panos_panorama_device_group.test_ew_dg will be created
  + resource "panos_panorama_device_group" "test_ew_dg" {
      + id   = (known after apply)
      + name = "test east west device group"

      + device {
          + serial    = (known after apply)
          + vsys_list = (known after apply)
        }
    }

  # module.panorama-config.panos_panorama_ethernet_interface.data will be created
  + resource "panos_panorama_ethernet_interface" "data" {
      + comment                   = "Data interface. This is a trust interface since east-west traffic is internal traffic."
      + create_dhcp_default_route = true
      + enable_dhcp               = true
      + id                        = (known after apply)
      + management_profile        = "Trust Management Profile"
      + mode                      = "layer3"
      + name                      = "ethernet1/1"
      + template                  = "test east west template"
      + vsys                      = "vsys1"
    }

  # module.panorama-config.panos_panorama_management_profile.trust will be created
  + resource "panos_panorama_management_profile" "trust" {
      + http                       = false
      + http_ocsp                  = false
      + https                      = false
      + id                         = (known after apply)
      + name                       = "Trust Management Profile"
      + ping                       = true
      + response_pages             = false
      + snmp                       = false
      + ssh                        = true
      + telnet                     = false
      + template                   = "test east west template"
      + userid_service             = false
      + userid_syslog_listener_ssl = false
      + userid_syslog_listener_udp = false
    }

  # module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all will be created
  + resource "panos_panorama_security_rule_group" "test_ew_sg_allow_all" {
      + device_group = "test east west device group"
      + id           = (known after apply)
      + rulebase     = "pre-rulebase"
      + vsys         = "vsys1"

      + rule {
          + action                = "allow"
          + applications          = [
              + "any",
            ]
          + categories            = [
              + "any",
            ]
          + destination_addresses = [
              + "any",
            ]
          + destination_zones     = [
              + "any",
            ]
          + hip_profiles          = [
              + "any",
            ]
          + log_end               = true
          + name                  = "Allow everything"
          + services              = [
              + "application-default",
            ]
          + source_addresses      = [
              + "any",
            ]
          + source_users          = [
              + "any",
            ]
          + source_zones          = [
              + "any",
            ]
          + type                  = "universal"
          + uuid                  = (known after apply)
        }
    }

  # module.panorama-config.panos_panorama_template.test_ew_template will be created
  + resource "panos_panorama_template" "test_ew_template" {
      + default_vsys = (known after apply)
      + id           = (known after apply)
      + name         = "test east west template"

      + devices {
          + serial    = (known after apply)
          + vsys_list = (known after apply)
        }
    }

  # module.panorama-config.panos_panorama_template_stack.test_ew_stack will be created
  + resource "panos_panorama_template_stack" "test_ew_stack" {
      + devices   = (known after apply)
      + id        = (known after apply)
      + name      = "test west west template stack"
      + templates = [
          + "shared base template",
          + "test east west template",
        ]
    }

  # module.panorama-config.panos_panorama_virtual_router.pano_ew_vr will be created
  + resource "panos_panorama_virtual_router" "pano_ew_vr" {
      + ebgp_dist        = 20
      + ibgp_dist        = 200
      + id               = (known after apply)
      + interfaces       = [
          + "ethernet1/1",
        ]
      + name             = "pano_vr"
      + ospf_ext_dist    = 110
      + ospf_int_dist    = 30
      + ospfv3_ext_dist  = 110
      + ospfv3_int_dist  = 30
      + rip_dist         = 120
      + static_dist      = 10
      + static_ipv6_dist = 10
      + template         = "test east west template"
    }

  # module.panorama-config.panos_panorama_zone.data will be created
  + resource "panos_panorama_zone" "data" {
      + id         = (known after apply)
      + interfaces = [
          + "ethernet1/1",
        ]
      + mode       = "layer3"
      + name       = "data-zone"
      + template   = "test east west template"
      + vsys       = "vsys1"
    }

Plan: 8 to add, 0 to change, 0 to destroy.

However when I run terraform apply, the security rule group bit keeps on running without timing out. Other resources are applied just fine.

module.panorama-config.panos_panorama_template.test_ew_template: Creating...
module.panorama-config.panos_panorama_device_group.test_ew_dg: Creating...
module.panorama-config.panos_panorama_device_group.test_ew_dg: Creation complete after 1s [id=test east west device group]
module.panorama-config.panos_panorama_template.test_ew_template: Creation complete after 1s [id=test east west template]
module.panorama-config.panos_panorama_template_stack.test_ew_stack: Creating...
module.panorama-config.panos_panorama_management_profile.trust: Creating...
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Creating...
module.panorama-config.panos_panorama_template_stack.test_ew_stack: Creation complete after 0s [id=test west west template stack]
module.panorama-config.panos_panorama_management_profile.trust: Creation complete after 0s [id=test east west template::Trust Management Profile]
module.panorama-config.panos_panorama_ethernet_interface.data: Creating...
module.panorama-config.panos_panorama_ethernet_interface.data: Creation complete after 1s [id=test east west template::vsys1:ethernet1/1]
module.panorama-config.panos_panorama_zone.data: Creating...
module.panorama-config.panos_panorama_virtual_router.pano_ew_vr: Creating...
module.panorama-config.panos_panorama_zone.data: Creation complete after 0s [id=test east west template::vsys1:data-zone]
module.panorama-config.panos_panorama_virtual_router.pano_ew_vr: Creation complete after 1s [id=test east west template:::pano_vr]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [10s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [20s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [30s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [40s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [49s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [59s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [1m9s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [1m19s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [1m29s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [1m39s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [1m49s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [1m59s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [2m9s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [2m19s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [2m29s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [2m39s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [2m49s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [2m59s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [3m9s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [3m19s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [3m29s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [3m39s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [3m49s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [3m59s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [4m9s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [4m19s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [4m29s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [4m39s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [4m49s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [4m59s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [5m9s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [5m19s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [5m29s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [5m39s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [5m49s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [5m59s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [6m9s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [6m19s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [6m29s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [6m39s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [6m49s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [6m59s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [7m9s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [7m19s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [7m29s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [7m39s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [7m49s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [7m59s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [8m9s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [8m19s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [8m29s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [8m39s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [8m49s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [8m59s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [9m9s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [9m19s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [9m29s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [9m39s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [9m49s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [9m59s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [10m9s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [10m19s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [10m29s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [10m39s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [10m49s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [10m59s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [11m9s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [11m19s elapsed]
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Still creating... [11m29s elapsed]

What am I missing? One thing to note is that this is all candidate config, since the goal is to call commit after the above has been created.

Expected behavior

Security rule group should created via terraform apply.

Current behavior

Security rule group is not being created.

Your Environment

• Version used: 1.10.3
• Terraform version: 1.0.7

[welcome-to-palo-alto-networks[bot]]

:tada: Thanks for opening your first issue here! Welcome to the community!

[ShreyasNBS]

ok, quick update. I added position-keyword and lifecycle block. After this, I got the following error

resource "panos_panorama_security_rule_group" "test_ew_sg_allow_all" {
  device_group     = panos_panorama_device_group.test_ew_dg.name
  position_keyword = "top"
  rule {
    name                  = "Allow everything"
    source_zones          = ["any"]
    source_addresses      = ["any"]
    source_users          = ["any"]
    hip_profiles          = ["any"]
    destination_zones     = ["any"]
    destination_addresses = ["any"]
    applications          = ["any"]
    services              = ["application-default"]
    categories            = ["any"]
    action                = "allow"
  }

  lifecycle {
    create_before_destroy = true
  }
}

module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Creating...
╷
│ Error: Allow everything -> hip-profiles unexpected here
│ 
│   with module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all,
│   on ../../modules/panorama-config/security.tf line 9, in resource "panos_panorama_security_rule_group" "test_ew_sg_allow_all":
│    9: resource "panos_panorama_security_rule_group" "test_ew_sg_allow_all" {

After commenting out hip_profiles, the rule group was created fine. Is this expected?

module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Creating...
module.panorama-config.panos_panorama_security_rule_group.test_ew_sg_allow_all: Creation complete after 1s [id=test east west device group:pre-rulebase:vsys1:5::QWxsb3cgZXZlcnl0aGluZw==]