search

PaloAltoNetworks / terraform-provider-sase

Terraform provider for SASE API
Apache License 2.0
1 stars 2 forks source link

sase_ike_gateways resource fails to create with obscure error #6

Open ancoleman opened 1 year ago

ancoleman commented 1 year ago

Describe the bug

When trying to create the resource _sase_ikegateways error "object not found" is generated.

Expected behavior

The Ike Gateway resource is created

Current behavior

The Ike Gateway resource fails to create

Possible solution

Steps to reproduce


resource "sase_ike_gateways" "this" {
  folder = "Remote Networks"
  name = "terraform-ike-1"
  authentication = {
    allow_id_payload_mismatch    = false
    certificate_profile          = ""
    local_certificate            = null
    strict_validation_revocation = false
    use_management_as_source     = false
    pre_shared_key               = {
      key = "mytestkey1234"
    }
  }
  peer_address = {
    dynamic_value = null
    fdqn = ""
    ip = "81.107.85.199"
  }
  protocol = {
    ikev1 = {
      dpd = {
        enable = true
      }
      ike_crypto_profile = ""
    }
    ikev2 = {
      dpd = {
        enable = true
      }
      ike_crypto_profile = "PaloAlto-Networks-IKE-Crypto"
    }
  }
}
(venv) (base) acoleman@M-KGYXTTH2MF remote_networks % terraform apply --auto-approve
╷
│ Warning: Provider development overrides are in effect
│ 
│ The following provider development overrides are set in the CLI configuration:
│  - paloaltonetworks-local/sase in /Users/acoleman/Documents/Projects/PracticeDevelopment/github/terraform-provider-sase
│ 
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published releases.
╵

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # sase_ike_gateways.this will be created
  + resource "sase_ike_gateways" "this" {
      + authentication = {
          + allow_id_payload_mismatch    = false
          + pre_shared_key               = {
              + key = "mytestkey1234"
            }
          + strict_validation_revocation = false
          + use_management_as_source     = false
        }
      + folder         = "Remote Networks"
      + id             = (known after apply)
      + name           = "terraform-ike-1"
      + object_id      = (known after apply)
      + peer_address   = {
          + ip = "81.107.85.199"
        }
      + protocol       = {
          + ikev1   = {
              + dpd = {
                  + enable = true
                }
            }
          + ikev2   = {
              + dpd                = {
                  + enable = true
                }
              + ike_crypto_profile = "PaloAlto-Networks-IKE-Crypto"
            }
          + version = "ikev2-preferred"
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.
sase_ike_gateways.this: Creating...
╷
│ Error: Error in create
│ 
│   with sase_ike_gateways.this,
│   on main.tf line 36, in resource "sase_ike_gateways" "this":
│   36: resource "sase_ike_gateways" "this" {
│ 
│ object not found
╵

Screenshots

Context

Your Environment

ancoleman commented 1 year ago

I was able to determine that the object not found would refer to the ike_crypto_profile

resource "sase_ike_gateways" "this" {
  folder = "Remote Networks"
  name = "terraform-ike-3"
  authentication = {
    pre_shared_key               = {
      key = "mytestkey1234"
    }
  }
  peer_address = {
    ip = "81.107.85.198"
  }
  protocol = {
    ikev1 = {
      dpd = {
        enable = true
      }
      ike_crypto_profile = "PaloAlto-Networks-IKE-Crypto"
    }
    version = "ikev1"
  }
}

this seemed to work....

Hemant40 commented 1 year ago

This is not working .. Giving below error. Could you please help me to identify what is missing here?

[root@localhost prisma]# cat ike_gw.tf resource "sase_ike_gateways" "this" { folder = "Remote Networks" name = "terraform-ike-3" authentication = { pre_shared_key = { key = "mytestkey1234" } } peer_address = { ip = "81.107.85.198" } protocol = { ikev1 = { dpd = { enable = true } ike_crypto_profile = "PaloAlto-Networks-IKE-Crypto" } version = "ikev1" } }

Error when i run the terraform plan:**

[root@localhost prisma]# terraform plan ╷ │ Warning: Provider development overrides are in effect │ │ The following provider development overrides are set in the CLI configuration: │ - paloaltonetworks-local/sase in /home/Hemant/terraform_prisma_sase/terraform-provider-sase │ │ The behavior may therefore not match any released version of the provider and applying changes may cause the state to │ become incompatible with published releases. ╵ sase_ike_gateways.this: Refreshing state... [id=Remote Networks:8f4dd1af-996e-4be8-818f-db04cec13d3b] sase_objects_addresses.x: Refreshing state... [id=Shared:d365b705-ef40-4107-a3c5-c2390d55a988]

Planning failed. Terraform encountered an error while generating this plan.

╷ │ Error: Error reading config │ │ with sase_ike_gateways.this, │ on ike_gw.tf line 1, in resource "sase_ike_gateways" "this": │ 1: resource "sase_ike_gateways" "this" { │ │ [HTTP 400] API_I00035 Invalid Request Payload - ["folder" is required]

shinmog commented 1 year ago 
│ [HTTP 400] API_I00035 Invalid Request Payload - ["folder" is required]

Seems like folder needs to be added to the Read here as well...? I'll just add it to Read and not Update or Delete, see if it works after that.

shinmog commented 1 year ago

You'll have to update both sase-go and this repo for the fix.

ancoleman commented 1 year ago

I pulled the latest from both, and now I get a build failure on the provider:

venv) (base) acoleman@M-KGYXTTH2MF terraform-provider-sase % go build
# [github.com/paloaltonetworks/terraform-provider-sase/internal/provider](http://github.com/paloaltonetworks/terraform-provider-sase/internal/provider)
internal/provider/ike_gateways.go:879:3: unknown field Folder in struct literal of type ikegateways.ReadInput
internal/provider/ike_gateways.go:893:30: input.Folder undefined (type ikegateways.ReadInput has no field or method Folder)
internal/provider/ike_gateways.go:1647:3: unknown field Folder in struct literal of type ikegateways.ReadInput
ancoleman commented 1 year ago

I commented out of the provider.go and renamed the ike_gateways.go and the build succeeded. However, when testing remote networks CRUD ops worked fine, for all other resources the same error happens:

(venv) (base) acoleman@M-KGYXTTH2MF security_profiles % terraform destroy --auto-approve
╷
│ Warning: Provider development overrides are in effect
│ 
│ The following provider development overrides are set in the CLI configuration:
│  - paloaltonetworks-local/sase in /Users/acoleman/Documents/Projects/PracticeDevelopment/github/terraform-provider-sase
│ 
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published releases.
╵
sase_anti_spyware_profiles.this: Refreshing state... [id=Mobile Users:6d571485-e7c6-4f07-8763-bab1045eacf0]
╷
│ Error: Error reading config
│ 
│   with sase_anti_spyware_profiles.this,
│   on main.tf line 7, in resource "sase_anti_spyware_profiles" "this":
│    7: resource "sase_anti_spyware_profiles" "this" {
│ 
│ [HTTP 400] API_I00035 Invalid Request Payload  - ["folder" is required]

I assume the reason remote_networks worked fine, is because of the changes on the sase-go sdk.

This commit: https://github.com/PaloAltoNetworks/sase-go/commit/681c61c79a70012cf906cd597e2dcb450da9991b#diff-ba7ae76f3a70b9988e0cd29c1eee7664be2d96e79b5fe5cc05f386e98f969b7bR77

shinmog commented 1 year ago

my bad, missed a commit push. this will add the folder to the Read() for the resource, but the pre_shared_key issue still needs eng attention.

Hemant40 commented 1 year ago

I have updated both the repos. And build the provider again. Now i am getting below error while creating the ike_gw.

image

Code for reference:

[root@localhost prisma]# cat ike_gw.tf resource "sase_ike_gateways" "this" { folder = "Remote Networks" name = "terraform-ike-3" authentication = { pre_shared_key = { key = "mytestkey1234" } } peer_address = { ip = "81.107.85.198" } protocol = { ikev1 = { dpd = { enable = true } ike_crypto_profile = "PaloAlto-Networks-IKE-Crypto" } version = "ikev1" } }

Hemant40 commented 1 year ago

same issue when i am creating a Address object in other folder.

image

Code for reference:

resource "sase_objects_addresses" "x" { folder = "Shared" name = "Beaucoup Fish" description = "Made by Terraform" ip_netmask = "8.8.88.181"

ip_range = "10.8.1.0-10.8.1.254"

}

shinmog commented 1 year ago

@Hemant40

Two things. First, enable verbose logging on the communication between SASE API and Terraform by adding this to your provider block:

provider "sase" {
    ....
    logging = "detailed"
}

Second, ask Terraform to show you all the communication between you and SASE API by turning on debug logging. You can do this just for a single terraform apply by putting the environment variable before the command like so:

TF_LOG=DEBUG terraform apply

Now you can see what's going on between you and SASE API, this should give you more information.