Provisioning NAT rule group crashes the terraform process

[chobodav]

Describe the bug

We are having Panorama version 11.0 and it is not possible to create any NAT rule using terraform.

Here is a simple code similar to sample:

resource "panos_nat_rule_group" "bot" {
    rule {
        name = "second"
        audit_comment = "Initial config"
        original_packet {
            source_zones = ["eth-untrust"]
            destination_zone = "eth-untrust"
            destination_interface = "ethernet1/2"
            source_addresses = ["any"]
            destination_addresses = ["any"]
        }
        translated_packet {
            source {}
            destination {
                static_translation {
                    address = "10.2.3.1"
                    port = 5678
                }
            }
        }
    }
    lifecycle {
        create_before_destroy = true
    }
}

Expected behavior

NAT rule is provisioned.

Current behavior

Plugin crashes.

panos_nat_rule_group.bot: Creating...
╷
│ Error: Plugin did not respond
│
│   with panos_nat_rule_group.bot,
│   on nat-rules.tf line 2, in resource "panos_nat_rule_group" "bot":
│    2: resource "panos_nat_rule_group" "bot" {
│
│ The plugin encountered an error, and failed to respond to the plugin.(*GRPCProvider).ApplyResourceChange call. The
│ plugin logs may contain more details.
╵

Stack trace from the terraform-provider-panos_v1.11.1.exe plugin:

panic: interface conversion: interface {} is nil, not string

goroutine 39 [running]:
github.com/terraform-providers/terraform-provider-panos/panos.createUpdateNatRuleGroup(0x12fcc600, {0x1297340, 0x12cab3b0})
        github.com/terraform-providers/terraform-provider-panos/panos/nat_rule_group.go:175 +0xbee
github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Resource).Apply(0x12e0a0a0, 0x12c4fd40, 0x1329e498, {0x1297340, 0x12cab3b0})
        github.com/hashicorp/terraform-plugin-sdk@v1.17.2/helper/schema/resource.go:320 +0x4fb
github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Provider).Apply(0x12e0b310, 0x1300dd00, 0x12c4fd40, 0x1329e498)
        github.com/hashicorp/terraform-plugin-sdk@v1.17.2/helper/schema/provider.go:294 +0x7d
github.com/hashicorp/terraform-plugin-sdk/internal/helper/plugin.(*GRPCProviderServer).ApplyResourceChange(0x12c06a50, {0x14cd034, 0x1321e648}, 0x13549e80)
        github.com/hashicorp/terraform-plugin-sdk@v1.17.2/internal/helper/plugin/grpc_provider.go:895 +0x8af
github.com/hashicorp/terraform-plugin-sdk/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x1279a00, 0x12c06a50}, {0x14cd034, 0x1321e648}, 0x12c4f4d0, 0x0)
        github.com/hashicorp/terraform-plugin-sdk@v1.17.2/internal/tfplugin5/tfplugin5.pb.go:3305 +0x18a
google.golang.org/grpc.(*Server).processUnaryRPC(0x12dabe60, {0x14e1574, 0x12cdab00}, 0x13221170, 0x12e4d428, 0x1b80740, 0x0)
        google.golang.org/grpc@v1.32.0/server.go:1194 +0xd30
google.golang.org/grpc.(*Server).handleStream(0x12dabe60, {0x14e1574, 0x12cdab00}, 0x13221170, 0x0)
        google.golang.org/grpc@v1.32.0/server.go:1517 +0xa2d
google.golang.org/grpc.(*Server).serveStreams.func1.2(0x12c1e290, 0x12dabe60, {0x14e1574, 0x12cdab00}, 0x13221170)
        google.golang.org/grpc@v1.32.0/server.go:859 +0x92
created by google.golang.org/grpc.(*Server).serveStreams.func1
        google.golang.org/grpc@v1.32.0/server.go:857 +0x1a7

Error: The terraform-provider-panos_v1.11.1.exe plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

Possible solution

Steps to reproduce

Run terraform with panos provider and simple NAT rule.

• Version used:
• Panorama 11.0
• Panos Terraform plugin 1.11.1, terraform latest

[welcome-to-palo-alto-networks[bot]]

:tada: Thanks for opening your first issue here! Welcome to the community!

[shinmog]

Line 175 is the panos provider trying to get the device_group parameter, which is undefined in your config. Does the error go away if you define device_group instead of leaving it empty?

[chobodav]

Hi @shinmog , thanks for the reply. I was not sure if I tried this before as this option is described in the doc: https://registry.terraform.io/providers/PaloAltoNetworks/panos/latest/docs/resources/nat_rule_group#device_group

So I tried one more time:

│ Error: Unsupported argument
│
│   on nat-rules.tf line 3, in resource "panos_nat_rule_group" "bot":
│    3:     device_group = panos_device_group.device_group_vm.name
│
│ An argument named "device_group" is not expected here.

This is during terraform validate/plan/apply. I remember that I have got the error before during validation so I didng even try apply. Plus I expected at least defaults for devide_group and rulebase will be used.

[ganderson-rw]

Hi, we just hit a roadblock with this also. Can't seem to create any kind of NAT rules in panorama with this. We are hoping to provision the rulesets for our templates and stacks with IaC, but have run into this. We cannot route traffic onto the IPv4 Internet without NAT rules! Is there anyone that can help us fix this please? Really hopeful to work toward a functional IaC deployment of policy into Panorama! 🤞

[ganderson-rw]

Using the resource that is deprecated (panos_panorama_nat_rule) actually works...it is less powerful but I can get started. Not sure if it will ultimately do what we need yet. Anything I can do to help out with fixing the resource (panos_nat_rule_group) which we are supposed to be using now?

[ganderson-rw]

I see...with the deprecated code, there is no ability to order our ruleset. This is a feature that is available in the new code, but doesn't work with Panorama. Doh!