Closed dsmagen18 closed 2 years ago
:tada: Thanks for opening your first issue here! Welcome to the community!
@dsmagen18 To assign the cloud account to existing account groups instead of giving names of the account groups you have to provide their UUIDs in group_ids
field.
Hi @trishala1999. Thanks for the quick response. Where is the UUID of an account group listed? It is not in Settings->Account Groups, and does not appear as an available column. Perhaps some Prisma API query?
@dsmagen18 You can get account group id in multiple ways -
As for #1 Settings->Account Groups, editing account group shows blank under "Non-Onboarded Account IDs" Trying #2 and #3...
As for #2, after getting the 10 minute token, the following API call:
curl --request GET \ --url 'https://api.prismacloud.io/cloud/group?excludeCloudAccountDetails=false' \ --header 'x-redlock-auth: 1111222233334444'
generated no output and no error. Could the UUIDs just be missing from the account groups?
@trishala1999,
Your suggestion #2, the python script, was a winner!!! Thanks so much
Steps: 1) Generate the JWT token Ref: https://prisma.pan.dev/docs/cloud/cspm/cspm-gs
2) Create python script getAccountGroupUUID below, replacing a) api.prismacloud.io with the actual one (ex: api3.prismacloud.io) Ref: https://prisma.pan.dev/api/cloud/api-urls b) SOME_BOOLEAN_VALUE -> "false" c) REPLACE_KEY_VALUE -> JWT obtained above (ex: "1234567890")
import requests
url = "https://api.prismacloud.io/cloud/group"
querystring = {"excludeCloudAccountDetails":"SOME_BOOLEAN_VALUE"}
headers = {"x-redlock-auth": "REPLACE_KEY_VALUE"}
response = requests.request("GET", url, headers=headers, params=querystring)
print(response.text)
3) run the python script: python getAccountGroupUUID.py
4) The script returns a HUGE string of account group data, including the account group UUIDs. Parse it.
Describe the bug
When creating a new Prisma account group, there is a required parameter "group_ids". When this parameter is defined with existing account groups, it generates error 404
Error: 400/https://api3.prismacloud.io/cloud/aws Error(msg:invalid_account_group_ids severity:error subject:)
But - if a new account group resource is specified, Terraform will create both the new account and new account group with no error
Expected behavior
When creating a new Prisma account, existing account groups should be accepted
Current behavior
When creating a new Prisma account, existing account groups are rejected with error 400
Steps to reproduce
The following works, but mistakenly creates a new account group instead of using an existing one:
resource "prismacloud_cloud_account" "ABC-Sample-01" { disable_on_destroy = true aws {
} }
resource "prismacloud_account_group" "g1" { name = "ABC" }
This does not work, and results with error 404:
resource "prismacloud_cloud_account" "NGC-Sample-01" { disable_on_destroy = true aws {
} }
======================================================= Full Error:
| Error: 400/https://api3.prismacloud.io/cloud/aws Error(msg:invalid_account_group_ids severity:error subject:) │ with prismacloud_cloud_account.NGC-Sample-01, │ on main.tf line 19, in resource "prismacloud_cloud_account" "NGC-Sample-01": │ 19: resource "prismacloud_cloud_account" "NGC-Sample-01" {
=============================== Tail of log file: 2022-06-24T00:45:37.716Z [WARN] Provider "registry.terraform.io/paloaltonetworks/prismacloud" produced an invalid plan for prismacloud_cloud_account.NGC-Sample-01, but we are tolerating it because it is using the legacy plugin SDK. The following problems may be the cause of any confusing errors from downstream operations: