search

PaloAltoNetworks / terraform-provider-scm

The Terraform provider for Strata Cloud Manager
Apache License 2.0
7 stars 2 forks source link

scm_url_access_profile credential_envorcement.mode issue #17

Open murathatipoglu opened 4 months ago

murathatipoglu commented 4 months ago

Describe the bug

I am using the following code for credential_enforcement under scm_url_access_profile resource

resource "scm_url_access_profile" "DLP_Default_Internet" { [... cut ...] credential_enforcement = { blocks = [ "medium-risk", "high-risk", "ransomware", ] mode = { disabled = true } log_severity = "high" } }

Then getting the error during terraform apply. Error is shared under Current Behavior below

Expected behavior

No error should be returned and creation of the resource should succeed without error. That is because you are supposed to use one of "disabled", "domain_credentials", "ip_user" options.

Current behavior

url_access_profile is being created as part of the terafform apply but apply process is being terminated with the thrown error.

│ Error: Provider produced inconsistent result after apply │ │ When applying changes to scm_url_access_profile.DLP_Default_Internet, │ provider "provider[\"registry.terraform.io/paloaltonetworks/scm\"]" │ produced an unexpected new value: │ .credential_enforcement.mode.domain_credentials: was cty.False, but now │ null. │ │ This is a bug in the provider, which should be reported in the provider's │ own issue tracker. ╵ ╷ │ Error: Provider produced inconsistent result after apply │ │ When applying changes to scm_url_access_profile.DLP_Default_Internet, │ provider "provider[\"registry.terraform.io/paloaltonetworks/scm\"]" │ produced an unexpected new value: .credential_enforcement.mode.ip_user: was │ cty.False, but now null. │ │ This is a bug in the provider, which should be reported in the provider's │ own issue tracker.

Possible solution

Update url_access_profile resource code and make sure one of "disabled", "domain_credentials", or "ip_user" options will suffice for a successfull apply

Steps to reproduce

just create a url_access_profile via terraform provider and it will throw the same error

Screenshots

Context

This issue is preventing us to use URL Access Profiles as part of terraform automated PRisma Access maintenance

Your Environment

ancoleman commented 4 months ago

@murathatipoglu, I will review this to determine if changes are required to handle the API response, or escalate this to our product team.

murathatipoglu commented 4 months ago

Thanks for your kind support @ancoleman

I believe it should be a quick fix. one of the option is required under credential_enforcement -> mode. In our case we pick disabled = true. Other two options (domain_credentials, ip_user) should not be altered and linked with "null". They could stay with their default setting is which is false. I hope this makes sense.

ksudhir1508 commented 3 months ago

Hello @ancoleman , do we made any progress to fix this issue?