Error 400: When creating a new Prisma account, parameter group_ids only creates new account groups, will not add to an existing account group

[dsmagen18]

Describe the bug

When creating a new Prisma account group, there is a required parameter "group_ids". When this parameter is defined with existing account groups, it generates error 404

Error: 400/https://api3.prismacloud.io/cloud/aws Error(msg:invalid_account_group_ids severity:error subject:)

But - if a new account group resource is specified, Terraform will create both the new account and new account group with no error

Expected behavior

When creating a new Prisma account, existing account groups should be accepted

Current behavior

When creating a new Prisma account, existing account groups are rejected with error 400

Steps to reproduce

The following works, but mistakenly creates a new account group instead of using an existing one:

resource "prismacloud_cloud_account" "ABC-Sample-01" { disable_on_destroy = true aws {

account_type    = "account"
protection_mode = "MONITOR"
name            = "Terraform_test_acct_05"          
account_id      = "111111111111"                     
external_id     = "22222222-2222-2222-2222-22222" 
role_arn        = "arn:aws:iam::111111111111:role/PrismaCloudPoCReadOnlyRole"
group_ids = [
    prismacloud_account_group.g1.group_id,
]

} }

resource "prismacloud_account_group" "g1" { name = "ABC" }

This does not work, and results with error 404:

resource "prismacloud_cloud_account" "NGC-Sample-01" { disable_on_destroy = true aws {

account_type    = "account"
protection_mode = "MONITOR"
name            = "Terraform_test_acct_05"          
account_id      = "111111111111"                     
external_id     = "22222222-2222-2222-2222-22222" 
role_arn        = "arn:aws:iam::537482066250:role/PrismaCloudPoCReadOnlyRole"
group_ids = [
   "TerraformTest","ABC"
]

} }

======================================================= Full Error:

| Error: 400/https://api3.prismacloud.io/cloud/aws Error(msg:invalid_account_group_ids severity:error subject:) │ with prismacloud_cloud_account.NGC-Sample-01, │ on main.tf line 19, in resource "prismacloud_cloud_account" "NGC-Sample-01": │ 19: resource "prismacloud_cloud_account" "NGC-Sample-01" {

=============================== Tail of log file: 2022-06-24T00:45:37.716Z [WARN] Provider "registry.terraform.io/paloaltonetworks/prismacloud" produced an invalid plan for prismacloud_cloud_account.NGC-Sample-01, but we are tolerating it because it is using the legacy plugin SDK. The following problems may be the cause of any confusing errors from downstream operations:

• .aws[0].enabled: planned value cty.True for a non-computed attribute 2022-06-24T00:45:37.716Z [TRACE] checkPlannedChange: Verifying that actual change (action Create) matches planned change (action Create) 2022-06-24T00:45:37.716Z [INFO] Starting apply for prismacloud_cloud_account.NGC-Sample-01 2022-06-24T00:45:37.717Z [DEBUG] prismacloud_cloud_account.NGC-Sample-01: applying the planned Create change 2022-06-24T00:45:37.717Z [TRACE] GRPCProvider: ApplyResourceChange 2022-06-24T00:45:37.719Z [DEBUG] provider.terraform-provider-prismacloud_v1.2.6: 2022/06/24 00:45:37 (create) aws cloud account 2022-06-24T00:45:37.809Z [TRACE] maybeTainted: prismacloud_cloud_account.NGC-Sample-01 encountered an error during creation, so it is now marked as tainted 2022-06-24T00:45:37.809Z [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState to workingState for prismacloud_cloud_account.NGC-Sample-01 2022-06-24T00:45:37.809Z [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState: removing state object for prismacloud_cloud_account.NGC-Sample-01 2022-06-24T00:45:37.809Z [TRACE] evalApplyProvisioners: prismacloud_cloud_account.NGC-Sample-01 is tainted, so skipping provisioning 2022-06-24T00:45:37.809Z [TRACE] maybeTainted: prismacloud_cloud_account.NGC-Sample-01 was already tainted, so nothing to do 2022-06-24T00:45:37.809Z [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState to workingState for prismacloud_cloud_account.NGC-Sample-01 2022-06-24T00:45:37.809Z [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState: removing state object for prismacloud_cloud_account.NGC-Sample-01 2022-06-24T00:45:37.809Z [TRACE] statemgr.Filesystem: not making a backup, because the new snapshot is identical to the old 2022-06-24T00:45:37.810Z [TRACE] statemgr.Filesystem: no state changes since last snapshot 2022-06-24T00:45:37.810Z [TRACE] statemgr.Filesystem: writing snapshot at terraform.tfstate 2022-06-24T00:45:37.812Z [ERROR] vertex "prismacloud_cloud_account.NGC-Sample-01" error: 400/https://api3.prismacloud.io/cloud/aws Error(msg:invalid_account_group_ids severity:error subject:) 2022-06-24T00:45:37.812Z [TRACE] vertex "prismacloud_cloud_account.NGC-Sample-01": visit complete, with errors 2022-06-24T00:45:37.812Z [TRACE] dag/walk: upstream of "provider[\"registry.terraform.io/paloaltonetworks/prismacloud\"] (close)" errored, so skipping 2022-06-24T00:45:37.812Z [TRACE] dag/walk: upstream of "root" errored, so skipping 2022-06-24T00:45:37.812Z [TRACE] statemgr.Filesystem: not making a backup, because the new snapshot is identical to the old 2022-06-24T00:45:37.812Z [TRACE] statemgr.Filesystem: no state changes since last snapshot 2022-06-24T00:45:37.812Z [TRACE] statemgr.Filesystem: writing snapshot at terraform.tfstate 2022-06-24T00:45:37.815Z [TRACE] statemgr.Filesystem: removing lock metadata file .terraform.tfstate.lock.info 2022-06-24T00:45:37.815Z [TRACE] statemgr.Filesystem: unlocking terraform.tfstate using fcntl flock 2022-06-24T00:45:37.818Z [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/paloaltonetworks/prismacloud/1.2.6/linux_amd64/terraform-provider-prismacloud_v1.2.6 pid=11840 2022-06-24T00:45:37.818Z [DEBUG] provider: plugin exited

[welcome-to-palo-alto-networks[bot]]

:tada: Thanks for opening your first issue here! Welcome to the community!

[trishala1999]

@dsmagen18 To assign the cloud account to existing account groups instead of giving names of the account groups you have to provide their UUIDs in group_ids field.

[dsmagen18]

Hi @trishala1999. Thanks for the quick response. Where is the UUID of an account group listed? It is not in Settings->Account Groups, and does not appear as an available column. Perhaps some Prisma API query?

[trishala1999]

@dsmagen18 You can get account group id in multiple ways -

1. In UI , settings-> account groups you can click on edit account group and you will get the id in url.
2. You can also use this API https://prisma.pan.dev/api/cloud/cspm/account-groups#operation/get-account-group-name to get the names and ids of all account groups
3. Or else you can use terraform data source prismacloud_account_group or prismacloud_account_groups to get the id.

[dsmagen18]

As for #1 Settings->Account Groups, editing account group shows blank under "Non-Onboarded Account IDs" Trying #2 and #3...

[dsmagen18]

As for #2, after getting the 10 minute token, the following API call:

curl --request GET \ --url 'https://api.prismacloud.io/cloud/group?excludeCloudAccountDetails=false' \ --header 'x-redlock-auth: 1111222233334444'

generated no output and no error. Could the UUIDs just be missing from the account groups?

[dsmagen18]

@trishala1999,

Your suggestion #2, the python script, was a winner!!! Thanks so much

Steps: 1) Generate the JWT token Ref: https://prisma.pan.dev/docs/cloud/cspm/cspm-gs

2) Create python script getAccountGroupUUID below, replacing a) api.prismacloud.io with the actual one (ex: api3.prismacloud.io) Ref: https://prisma.pan.dev/api/cloud/api-urls b) SOME_BOOLEAN_VALUE -> "false" c) REPLACE_KEY_VALUE -> JWT obtained above (ex: "1234567890")

import requests
url = "https://api.prismacloud.io/cloud/group"
querystring = {"excludeCloudAccountDetails":"SOME_BOOLEAN_VALUE"}
headers = {"x-redlock-auth": "REPLACE_KEY_VALUE"}
response = requests.request("GET", url, headers=headers, params=querystring)
print(response.text)

3) run the python script: python getAccountGroupUUID.py

4) The script returns a HUGE string of account group data, including the account group UUIDs. Parse it.