panos_management_profile doesn't support userid-syslog-listener-udp

[darkhonor]

Describe the bug

When applying a basic management profile for my device, I receive an error that the userid-syslog-listener-udp option is unexpected.

Expected behavior

The configuration should commit as expected

Current behavior

When running a terraform apply, I receive the following plan and error message:

  # panos_management_profile.admin will be created
  + resource "panos_management_profile" "admin" {
      + http                       = false
      + http_ocsp                  = false
      + https                      = true
      + id                         = (known after apply)
      + name                       = "allow-admin"
      + ping                       = true
      + response_pages             = false
      + snmp                       = false
      + ssh                        = true
      + telnet                     = false
      + userid_service             = false
      + userid_syslog_listener_ssl = false
      + userid_syslog_listener_udp = false
    }

  # panos_management_profile.ping will be created
  + resource "panos_management_profile" "ping" {
      + http                       = false
      + http_ocsp                  = false
      + https                      = false
      + id                         = (known after apply)
      + name                       = "allow-ping"
      + ping                       = true
      + response_pages             = false
      + snmp                       = false
      + ssh                        = false
      + telnet                     = false
      + userid_service             = false
      + userid_syslog_listener_ssl = false
      + userid_syslog_listener_udp = false
    }

Plan: 2 to add, 3 to change, 0 to destroy.
panos_management_profile.admin: Creating...
panos_management_profile.ping: Creating...
╷
│ Error: allow-ping -> userid-syslog-listener-udp unexpected here
│ 
│   with panos_management_profile.ping,
│   on mgt_profiles.tf line 4, in resource "panos_management_profile" "ping":
│    4: resource "panos_management_profile" "ping" {

The proposed changes are correct, but my device doesn't respond well. In the Web UI, this isn't an option even though it's in the documentation. Is there somewhere in the device settings to enable this option or should it be ignored by default?

Possible solution

Is there a way to not make this a mandatory entry?

Steps to reproduce

Code used:

resource "panos_management_profile" "ping" {
  name = "allow-ping"
  ping = true
  userid_syslog_listener_udp = null

  lifecycle {
    create_before_destroy = true
  }
}

resource "panos_management_profile" "admin" {
  name  = "allow-admin"
  ping  = true
  ssh   = true
  https = true
  userid_syslog_listener_udp = null

  lifecycle {
    create_before_destroy = true
  }
}

1. Wrote the above code
2. terraform apply
3. yes
4. Fail

Context

I'm trying to migrate my current firewall configuration into Terraform.

Your Environment

• Version used: 1.11.0
• Environment name and version (e.g. Chrome 59, node.js 5.4, python 3.7.3): Terraform 1.3.8
• Operating System and version (desktop or mobile): Ubuntu Server 22.04
• Link to your project: Closed project for home use
• PAN OS 11.0
• PA-440

[welcome-to-palo-alto-networks[bot]]

:tada: Thanks for opening your first issue here! Welcome to the community!

[jamesholland-uk]

Hi @darkhonor, I can't replicate this error at the moment, using PAN-OS 11.0 and Provider 1.11.0 For example:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # panos_management_profile.admin will be created
  + resource "panos_management_profile" "admin" {
      + http                       = false
      + http_ocsp                  = false
      + https                      = true
      + id                         = (known after apply)
      + name                       = "allow-admin"
      + ping                       = true
      + response_pages             = false
      + snmp                       = false
      + ssh                        = true
      + telnet                     = false
      + userid_service             = false
      + userid_syslog_listener_ssl = false
      + userid_syslog_listener_udp = false
    }

Plan: 1 to add, 0 to change, 0 to destroy.
panos_management_profile.admin: Creating...
panos_management_profile.admin: Creation complete after 0s [id=allow-admin]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

You should indeed see the three User-ID options for Interface Management Profiles in the GUI as well:

I've tried to think what else could be at play here, and I wondered if there are other uncommitted changes in the config which are somehow getting in the way and causing a conflict? The error message makes no sense, because userid-syslog-listener-udp very much IS expected in the config, and I can use Terraform to set it to true, as well as null, or not specify it in the code (defaults to false):

Are there any other factors in play here? What were the other changes in the Terraform plan? (2 to create, but there were 3 to change as well). Are there any other tools or scripts using the API of your PA-440?

[dsmorse]

I'm getting the same error on my 460's Could it be related to having the Palo's in FIPS mode?