search

PaloAltoNetworks / terraform-provider-panos

Terraform Panos provider
https://www.terraform.io/docs/providers/panos/
MIT License
89 stars 73 forks source link

position_reference with panos_security_rule_group usage #349

Closed chuckysap closed 2 years ago

chuckysap commented 2 years ago

Is it possible to be able to reference an entire rule group instead of individual rules when using position_reference?. I am looking to ensure 3 independent groups of rules stay in a particular order and that the rules stay within those blocks/groups.

welcome-to-palo-alto-networks[bot] commented 2 years ago

:tada: Thanks for opening your first issue here! Welcome to the community!

chuckysap commented 2 years ago

If this isn't possible, is it possible to be able to maintain a certain order of rules within a rule group? I've seen that it doesn't always maintain the rule order in the rule group definition.

shinmog commented 2 years ago

This isn't specific to the panos provider, you just use HCL to do this. Here's an example:

resource "panos_security_rule_group" "first" {
    rule {
        name = "first"
        source_zones = ["any"]
        source_addresses = ["any"]
        source_users = ["any"]
        destination_zones = ["any"]
        destination_addresses = ["any"]
        applications = ["any"]
        services = ["any"]
        categories = ["any"]
        log_end = true
        action = "allow"
    }

    lifecycle {
        create_before_destroy = true
    }
}

resource "panos_security_rule_group" "second" {
    position_keyword = "directly after"
    position_reference = (
        panos_security_rule_group.first.rule[
            length(panos_security_rule_group.first.rule) - 1
        ].name
    )
    rule {
        name = "second"
        source_zones = ["any"]
        source_addresses = ["any"]
        source_users = ["any"]
        destination_zones = ["any"]
        destination_addresses = ["any"]
        applications = ["any"]
        services = ["any"]
        categories = ["any"]
        log_end = true
        action = "allow"
    }
    rule {
        name = "third"
        source_zones = ["any"]
        source_addresses = ["any"]
        source_users = ["any"]
        destination_zones = ["any"]
        destination_addresses = ["any"]
        applications = ["any"]
        services = ["any"]
        categories = ["any"]
        log_end = true
        action = "allow"
    }

    lifecycle {
        create_before_destroy = true
    }
}

resource "panos_security_rule_group" "third" {
    position_keyword = "directly after"
    position_reference = (
        panos_security_rule_group.second.rule[
            length(panos_security_rule_group.second.rule) - 1
        ].name
    )
    rule {
        name = "fourth"
        source_zones = ["any"]
        source_addresses = ["any"]
        source_users = ["any"]
        destination_zones = ["any"]
        destination_addresses = ["any"]
        applications = ["any"]
        services = ["any"]
        categories = ["any"]
        log_end = true
        action = "allow"
    }

    lifecycle {
        create_before_destroy = true
    }
}
chuckysap commented 2 years ago

Hey shinmog - The above works as expected when explicitly laying out each rule underneath the resource. We are attempting to import the rules dynamically from a YAML file (storing it as a local variable). When doing so the order in which the rules are laid out in the YAML isn't being preserved. Do you know of a way to accomplish this?