Commit via Terraform shows successful but Console shows commit failed on incorrect NAT rule

[mhca99]

Describe the bug

After creating a simple NAT rule via Palo Alto Terraform module "panos_nat_rule_group" , when commit is done via API in Terraform null_resource , the API response is successful and commit job is queued . However, when checking the FW GUI under Task Manager , the status of commit is failed due to incorrect NAT rule which Terraform pushed successfully earlier with "panos_nat_rule_group".

Expected behavior

1) If NAT rule had incorrect settings , Terraform should not have applied it successfully on the firewall. 2) When doing the commit via API , it should not respond successful commit message if commit failing due to incorrect FW configuration.

Current behavior

1) NAT rule with incorrect settings was successfully pushed by Terraform module 2) Commit was enqueued and reported successful during the Terraform deployment , however, the Firewall Console/Task Manager shows the commit failed due to configuration error in NAT rule.

Possible solution

Steps to reproduce

create svc object , NAT rule , null_resource as follows

resource "panos_service_object" "svc" {
    name = "ssh-5678"
    vsys = "vsys1"
    protocol = "tcp"
    description = "ssh port for web"
    destination_port = "5678"

      lifecycle {
          create_before_destroy = true
      }
  }

resource "panos_nat_rule_group" "test" {
    rule {
        name = "nat_rule04"
        audit_comment = "Initial config"
        original_packet {
            source_zones = ["untrust"]
            destination_zone = "untrust"
            destination_interface = "any"
            source_addresses = ["any"]
            destination_addresses = ["any"]
            service = "ssh-5678"
        }
        translated_packet {
            source {}
            destination {
                static_translation {
                    address = "10.0.0.3"
                    port = 22
                }
            }
        }
    }

    lifecycle {
        create_before_destroy = true
    }
    depends_on = [resource.panos_service_object.svc ]
}

resource "null_resource" "commit" {
  provisioner "local-exec" {
    command = <<EOF

    curl -k -X GET -H 'Authorization: Basic XXXX ' 'https://${var.primary_mgmt_ip}/api/?type=commit&cmd=<commit></commit>'
    EOF
  }
 depends_on = [ resource.panos_nat_rule_group.test, resource.panos_service_object.svc ]
}

Screenshots

Context

Adding and testing firewall policies/rules

Your Environment

model: PA-VM vm-mode: KVM cloud-mode: cloud sw-version: 11.0.1 vm_series: vm_series-4.0.1 platform-family: vm

[welcome-to-palo-alto-networks[bot]]

:tada: Thanks for opening your first issue here! Welcome to the community!