related to a problem: upon any update of a panos_security_rule_group, there is 1 action=move sent for each rule present in the group. For large groups, this generate thousands of requests, sent one after another, which is unnecessary slow and expensive.
Describe the solution you'd like
there should only be move actions when needed so either
all the moves requests can be sent in bulk through a single API call if available
or only the needed move requests are sent (so if we have rules A B C D in one panos_security_rule_group, if we remove B then only the action "move C after A" is sent)
or there is a way to relax the moves (for example a position_keyword="somewhere", and no action=move is sent at all, if that works)
or there is a way to put every rule after the first rule: if A is the first element, A should be moved according to its position_keyword, and all other elements should be moved "after A". If we have rules A B C D, if we update or remove B we do no move action. If we add E, we move it after A. If A is updated or deleted then we elect the new first element and move everybody under it, but it should be a rather rare case.
Describe alternatives you've considered
I am considering implementing that last option, playing with
the alternative we found is to live with the slowness..
Additional context
Discovered terraform apply was stuck waiting for modifications to complete in panorama and found all these calls.
We do not care about the order of the rules within the panos_security_rule_group so all these moves seem useless.
Is your feature request related to a problem?
related to a problem: upon any update of a panos_security_rule_group, there is 1 action=move sent for each rule present in the group. For large groups, this generate thousands of requests, sent one after another, which is unnecessary slow and expensive.
Describe the solution you'd like
there should only be move actions when needed so either
Describe alternatives you've considered
I am considering implementing that last option, playing with
https://github.com/PaloAltoNetworks/pango/blob/dba4c1566648dbf17471e4cae313d7ebe1846b68/poli/security/pano.go#L133
the alternative we found is to live with the slowness..
Additional context
Discovered terraform apply was stuck waiting for modifications to complete in panorama and found all these calls. We do not care about the order of the rules within the panos_security_rule_group so all these moves seem useless.