search

PaloAltoNetworks / terraform-provider-panos

Terraform Panos provider
https://www.terraform.io/docs/providers/panos/
Mozilla Public License 2.0
87 stars 69 forks source link

Decryption Type no longer valid after Upgrade to PAN-OS 10.2.3 #366

Closed leighllew closed 1 year ago

leighllew commented 1 year ago

We're getting an error stating the ssl-inbound-inspection type is invalid. Running latest Terraform Provider 1.11.0

Error: inbound-decrypt-web-xx-xxxx-com -> type -> ssl-inbound-inspection unexpected here | inbound-decrypt-web-xx-xxxx-com -> type -> ssl-inbound-inspection is unexpected | inbound-decrypt-web-xx-xxxx-com -> type is invalid

Example of the Terraform Code

resource "panos_decryption_rule_group" "inbound" {

rulebase = "post-rulebase" position_keyword = "top" device_group = local.device_group

rule { name = "inbound-decrypt-${each.value.name}" description = "Created in terraform." source_zones = [ "Untrust" ] source_users = [ "any" ] source_addresses = [ "any" ] destination_zones = [ "Transit" ] destination_addresses = [ panos_panorama_address_object.ingress_public[0].name ] services = ["any"] url_categories = compact(flatten([ each.value.name, [ for key, val in local.map_waf_listeners : val.name if val.redirect == each.key ] ])) action = "decrypt" decryption_type = "ssl-inbound-inspection" ssl_certificate = each.value.name decryption_profile = "azure-default" log_failed_tls_handshakes = var.firewall_rule_log_failed_tls_handshakes }

welcome-to-palo-alto-networks[bot] commented 1 year ago

:tada: Thanks for opening your first issue here! Welcome to the community!

jamesholland-uk commented 1 year ago

Thanks for reporting this Leigh. I can see a diff in the XML from 10.1 to 10.2, the PAN-OS upgrade in scope:

diff 10.1.6-config.xml 10.2.3-config.xml
2c2
< <config version="10.1.0" urldb="paloaltonetworks" detail-version="10.1.6">
---
> <config version="10.2.0" urldb="paloaltonetworks" detail-version="10.2.3">
156c156,160
<                     <ssl-inbound-inspection>test-tls-cert</ssl-inbound-inspection>
---
>                     <ssl-inbound-inspection>
>                       <certificates>
>                         <member>test-tls-cert</member>
>                       </certificates>
>                     </ssl-inbound-inspection>

This XML change looks like it was introduced for this feature, which makes sense. We'll need to handle this in the provider as an enhancement.

shinmog commented 1 year ago

Fixed by v1.11.1